Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Mattermost Boards by Mattermost

    CVE-2021-37867 (GCVE-0-2021-37867)

    Vulnerability from nvd – Published: 2022-01-18 16:52 – Updated: 2024-12-06 23:11
    VLAI
    Title
    Emails of all users are exposed via one of the Boards APIs
    Summary
    Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive & private information disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates/ x_refsource_MISC
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Boards Affected: unspecified , ≤ 0.10.0 (custom)
    Unaffected: 0.9.5 , < unspecified (custom)
    Unaffected: 0.8.4 , < unspecified (custom)
    Unaffected: 0.7.5 , < unspecified (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:30:08.561Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-37867",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-06T22:53:27.329876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-06T23:11:27.811Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Mattermost Boards",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "0.10.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.9.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.8.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.7.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive \u0026 private information disclosure."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Information Exposure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-18T16:52:17.000Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://mattermost.com/security-updates/"
            }
          ],
          "source": {
            "advisory": "MMSA-2021-0080",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-40536"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Emails of all users are exposed via one of the Boards APIs",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "responsibledisclosure@mattermost.com",
              "ID": "CVE-2021-37867",
              "STATE": "PUBLIC",
              "TITLE": "Emails of all users are exposed via one of the Boards APIs"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Mattermost Boards",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "0.10.0"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.9.5"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.8.4"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.7.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Mattermost"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive \u0026 private information disclosure."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200 Information Exposure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://mattermost.com/security-updates/",
                  "refsource": "MISC",
                  "url": "https://mattermost.com/security-updates/"
                }
              ]
            },
            "source": {
              "advisory": "MMSA-2021-0080",
              "defect": [
                "https://mattermost.atlassian.net/browse/MM-40536"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2021-37867",
        "datePublished": "2022-01-18T16:52:17.000Z",
        "dateReserved": "2021-08-02T00:00:00.000Z",
        "dateUpdated": "2024-12-06T23:11:27.811Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-37866 (GCVE-0-2021-37866)

    Vulnerability from nvd – Published: 2022-01-18 16:52 – Updated: 2024-12-06 23:11
    VLAI
    Title
    Session is not invalidated on server-side when user logged out of Boards
    Summary
    Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Boards Affected: unspecified , ≤ 0.10.0 (custom)
    Unaffected: 0.9.5 , < unspecified (custom)
    Unaffected: 0.8.4 , < unspecified (custom)
    Unaffected: 0.7.5 , < unspecified (custom)
    Create a notification for this product.
    Credits
    Hagai Wechsler from WhiteSource
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:30:08.497Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-37866"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-37866",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-06T22:53:29.926029Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-06T23:11:40.140Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Mattermost Boards",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "0.10.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.9.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.8.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.7.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Hagai Wechsler from WhiteSource"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613 Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-31T15:43:19.000Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://mattermost.com/security-updates/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-37866"
            }
          ],
          "source": {
            "advisory": "MMSA-2021-0077",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-40419"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Session is not invalidated on server-side when user logged out of Boards",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "responsibledisclosure@mattermost.com",
              "ID": "CVE-2021-37866",
              "STATE": "PUBLIC",
              "TITLE": "Session is not invalidated on server-side when user logged out of Boards"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Mattermost Boards",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "0.10.0"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.9.5"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.8.4"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.7.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Mattermost"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Hagai Wechsler from WhiteSource"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-613 Insufficient Session Expiration"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://mattermost.com/security-updates/",
                  "refsource": "MISC",
                  "url": "https://mattermost.com/security-updates/"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-37866",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-37866"
                }
              ]
            },
            "source": {
              "advisory": "MMSA-2021-0077",
              "defect": [
                "https://mattermost.atlassian.net/browse/MM-40419"
              ],
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2021-37866",
        "datePublished": "2022-01-18T16:52:16.000Z",
        "dateReserved": "2021-08-02T00:00:00.000Z",
        "dateUpdated": "2024-12-06T23:11:40.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-37867 (GCVE-0-2021-37867)

    Vulnerability from cvelistv5 – Published: 2022-01-18 16:52 – Updated: 2024-12-06 23:11
    VLAI
    Title
    Emails of all users are exposed via one of the Boards APIs
    Summary
    Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive & private information disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://mattermost.com/security-updates/ x_refsource_MISC
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Boards Affected: unspecified , ≤ 0.10.0 (custom)
    Unaffected: 0.9.5 , < unspecified (custom)
    Unaffected: 0.8.4 , < unspecified (custom)
    Unaffected: 0.7.5 , < unspecified (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:30:08.561Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-37867",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-06T22:53:27.329876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-06T23:11:27.811Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Mattermost Boards",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "0.10.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.9.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.8.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.7.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive \u0026 private information disclosure."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Information Exposure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-18T16:52:17.000Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://mattermost.com/security-updates/"
            }
          ],
          "source": {
            "advisory": "MMSA-2021-0080",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-40536"
            ],
            "discovery": "INTERNAL"
          },
          "title": "Emails of all users are exposed via one of the Boards APIs",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "responsibledisclosure@mattermost.com",
              "ID": "CVE-2021-37867",
              "STATE": "PUBLIC",
              "TITLE": "Emails of all users are exposed via one of the Boards APIs"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Mattermost Boards",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "0.10.0"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.9.5"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.8.4"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.7.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Mattermost"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Mattermost Boards plugin v0.10.0 and earlier fails to protect email addresses of all users via one of the Boards APIs, which allows authenticated and unauthorized users to access this information resulting in sensitive \u0026 private information disclosure."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-200 Information Exposure"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://mattermost.com/security-updates/",
                  "refsource": "MISC",
                  "url": "https://mattermost.com/security-updates/"
                }
              ]
            },
            "source": {
              "advisory": "MMSA-2021-0080",
              "defect": [
                "https://mattermost.atlassian.net/browse/MM-40536"
              ],
              "discovery": "INTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2021-37867",
        "datePublished": "2022-01-18T16:52:17.000Z",
        "dateReserved": "2021-08-02T00:00:00.000Z",
        "dateUpdated": "2024-12-06T23:11:27.811Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-37866 (GCVE-0-2021-37866)

    Vulnerability from cvelistv5 – Published: 2022-01-18 16:52 – Updated: 2024-12-06 23:11
    VLAI
    Title
    Session is not invalidated on server-side when user logged out of Boards
    Summary
    Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    Mattermost Mattermost Boards Affected: unspecified , ≤ 0.10.0 (custom)
    Unaffected: 0.9.5 , < unspecified (custom)
    Unaffected: 0.8.4 , < unspecified (custom)
    Unaffected: 0.7.5 , < unspecified (custom)
    Create a notification for this product.
    Credits
    Hagai Wechsler from WhiteSource
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:30:08.497Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://mattermost.com/security-updates/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-37866"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2021-37866",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-06T22:53:29.926029Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-06T23:11:40.140Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Mattermost Boards",
              "vendor": "Mattermost",
              "versions": [
                {
                  "lessThanOrEqual": "0.10.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.9.5",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.8.4",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "unaffected",
                  "version": "0.7.5",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Hagai Wechsler from WhiteSource"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-613",
                  "description": "CWE-613 Insufficient Session Expiration",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-01-31T15:43:19.000Z",
            "orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
            "shortName": "Mattermost"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://mattermost.com/security-updates/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-37866"
            }
          ],
          "source": {
            "advisory": "MMSA-2021-0077",
            "defect": [
              "https://mattermost.atlassian.net/browse/MM-40419"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Session is not invalidated on server-side when user logged out of Boards",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "responsibledisclosure@mattermost.com",
              "ID": "CVE-2021-37866",
              "STATE": "PUBLIC",
              "TITLE": "Session is not invalidated on server-side when user logged out of Boards"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Mattermost Boards",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_value": "0.10.0"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.9.5"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.8.4"
                              },
                              {
                                "version_affected": "!\u003e=",
                                "version_value": "0.7.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Mattermost"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Hagai Wechsler from WhiteSource"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-613 Insufficient Session Expiration"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://mattermost.com/security-updates/",
                  "refsource": "MISC",
                  "url": "https://mattermost.com/security-updates/"
                },
                {
                  "name": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-37866",
                  "refsource": "MISC",
                  "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-37866"
                }
              ]
            },
            "source": {
              "advisory": "MMSA-2021-0077",
              "defect": [
                "https://mattermost.atlassian.net/browse/MM-40419"
              ],
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
        "assignerShortName": "Mattermost",
        "cveId": "CVE-2021-37866",
        "datePublished": "2022-01-18T16:52:16.000Z",
        "dateReserved": "2021-08-02T00:00:00.000Z",
        "dateUpdated": "2024-12-06T23:11:40.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }