CVE-2022-1384 MEDIUM

CVE-2022-1384: Authorized users are allowed to install old plugin versions from the Marketplace

Vendor Mattermost
Product Mattermost
Weakness CWE-477
Published April 19, 2022
Last update December 6, 2024

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Mattermost version 6.4.x and earlier fails to properly check the plugin version when a plugin is installed from the Marketplace, which allows an authenticated and an authorized user to install and exploit an old plugin version from the Marketplace which might have known vulnerabilities.

Key dates

02Disclosure timeline

April 19, 2022 CVE published
December 6, 2024 Record updated