CVE-2022-2401

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-2401

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2401.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-2401

Aliases

Published

2022-07-14T17:20:49Z

Modified

2026-06-18T03:55:41.580595244Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Team members could access sensitive information of other users via an API call

Details

Unrestricted information disclosure of all users in Mattermost version 6.7.0 and earlier allows team members to access some sensitive information by directly accessing the APIs.

Database specific

{
    "cna_assigner": "Mattermost",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "6.7.x 6.7.0"
                },
                {
                    "introduced": "6.x"
                },
                {
                    "last_affected": "6.3.8"
                },
                {
                    "introduced": "6.5.x"
                },
                {
                    "last_affected": "6.5.1"
                },
                {
                    "introduced": "6.6.x"
                },
                {
                    "last_affected": "6.6.1"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/2xxx/CVE-2022-2401.json"
}

References

Affected packages

Git / github.com/mattermost/mattermost

Affected ranges

Type

GIT

Repo

https://github.com/mattermost/mattermost

Events

Introduced

Fixed

f2f46f8da34f483288604f26ae395d7da8ebea2e

Introduced

86a797bc64e7448dbfaa670ed6b8fd7b437e97c3

Fixed

6aae704dd1d98773d9269faa3df84a05d3b18b29

Database specific

{
    "cpe": [
        "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:mattermost:mattermost_server:6.6.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:mattermost:mattermost_server:6.6.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:mattermost:mattermost_server:6.7.0:*:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.3.9"
        },
        {
            "last_affected": "6.6.0"
        },
        {
            "last_affected": "6.6.1"
        },
        {
            "last_affected": "6.7.0"
        },
        {
            "introduced": "6.4.0"
        },
        {
            "fixed": "6.5.2"
        }
    ]
}

Affected versions

Other

cloud-2020-11-24

cloud-2020-12-08

cloud-2020-12-18

cloud-2021-01-12

cloud-2021-01-26

cloud-2021-02-10

cloud-2021-02-24

cloud-2021-02-25-1

cloud-2021-03-12-1

cloud-2021-03-23-1

cloud-2021-04-22-1

cloud-2021-05-05-1

cloud-2021-05-21-1

cloud-2021-06-02-1

cloud-2021-06-16-1

cloud-2021-07-01-1

cloud-2021-07-15-1

cloud-2021-07-29-1

cloud-2021-08-12-1

cloud-2021-09-29-1

cloud-2021-10-12-1

cloud-2021-10-27-1

cloud-2021-11-09-1

cloud-2021-11-11-1

cloud-2021-11-23-1

cloud-2021-11-25-1

cloud-2021-11-30-1

cloud-2021-12-08-1

cloud-2022-03-02-1

v0.*

v0.5.0

v4.*

v4.10.0-rc1

v4.2.0-rc1

v4.3.0-rc1

v4.4.0-rc1

v4.5.0-rc1

v4.6.0-rc1

v4.6.0-rc2

v4.7.0-rc1

v4.8.0-rc1

v4.9.0-rc1

v5.*

v5.0.0-rc1

v5.1.0-rc1

v5.2.0-rc1

v5.2.0-rc2

v6.*

v6.3.0

v6.3.1

v6.3.2

v6.3.3

v6.3.4

v6.3.5

v6.3.6

v6.3.7

v6.3.8

v6.5.0

v6.5.1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2401.json"