CVE-2022-1003
LOW severity · CVSS 3.3 · CWE-268
3.3CVSS LOW
Summary
One of the API in Mattermost version 6.3.0 and earlier fails to properly protect the permissions, which allows the system administrators to combine the two distinct privileges/capabilities in a way that allows them to override certain restricted configurations like EnableUploads.
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges requiredHigh
User interactionNone
Confidentiality impactLow
Integrity impactLow
Availability impactNone
Exploit probability (EPSS)0%
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.