Miggo Logo
Miggo Vulnerability Database
CVE-2022-2401

CVE-2022-2401: Mattermost users could access some sensitive information via API call

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2401
GHSA ID
GHSA-7ggc-5r84-xf54
EPSS Score
0.51864%
CWE
CWE-200
Published
7/15/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/mattermost/mattermost-server/v6go< 6.3.96.3.9
github.com/mattermost/mattermost-server/v6go>= 6.4.0, < 6.5.26.5.2
github.com/mattermost/mattermost-server/v6go>= 6.6.0, < 6.6.26.6.2
github.com/mattermost/mattermost-server/v6go= 6.7.06.7.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information describes an API access control issue but does not include specific code references, commit diffs, or function names. While the vulnerability likely exists in user-related API handlers (e.g., endpoints returning sensitive user data), the lack of concrete technical details about the affected code paths makes it impossible to identify specific functions with high confidence. The advisory mentions 'directly accessing the APIs' generally, but without patch details or code context, we can only speculate about implementation details.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unr*stri*t** in*orm*tion *is*losur* o* *ll us*rs in M*tt*rmost v*rsion *.*.* *n* **rli*r *llows t**m m*m**rs to ****ss som* s*nsitiv* in*orm*tion *y *ir**tly ****ssin* t** *PIs.

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s *n *PI ****ss *ontrol issu* *ut *o*s not in*lu** sp**i*i* *o** r***r*n**s, *ommit *i**s, or *un*tion n*m*s. W*il* t** vuln*r**ility lik*ly *xists in us*r-r*l*t** *PI **n*l*rs (*.*., *n*points r*turnin*