search

maruTA-bis5 / mattermost4j

Mattermost API v4 Client for Java
Apache License 2.0
31 stars 20 forks source link

Mattermost v0.24.0 Published CRITICAL Vulnerabilities #455

Closed kinjelom closed 2 years ago

kinjelom commented 2 years ago

mattermost-models-0.24.0.jar

mattermost4j-core-0.24.0.jar

Details

"Project" "ScanDate" "DependencyName" "DependencyPath" "Description" "License" "Md5" "Sha1" "Identifiers" "CPE" "CVE" "CWE" "Vulnerability" "Source" "CVSSv2_Severity" "CVSSv2_Score" "CVSSv2" "CVSSv3_BaseSeverity" "CVSSv3_BaseScore" "CVSSv3" "CPE Confidence" "Evidence Count"
test "Thu 13 Jan 2022 11:01:28 +0100" mattermost-models-0.24.0.jar net\bis5\mattermost4j\mattermost-models\0.24.0\mattermost-models-0.24.0.jar "" "" a08ae1087243043507a01f3a78d9368c 4a717527c8a7a89d82a15b4cc0d153a4a8c85c5f pkg:maven/net.bis5.mattermost4j/mattermost-models@0.24.0 cpe:2.3:a:mattermost:mattermost:0.24.0:::::::* CVE-2019-20851 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to overwrite arbitrary files on a device. NVD MEDIUM 6.4 /AV:N/AC:L/Au:N/C:N/I:P/A:P CRITICAL 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H HIGH 20
test "Thu 13 Jan 2022 11:01:28 +0100" mattermost-models-0.24.0.jar net\bis5\mattermost4j\mattermost-models\0.24.0\mattermost-models-0.24.0.jar "" "" a08ae1087243043507a01f3a78d9368c 4a717527c8a7a89d82a15b4cc0d153a4a8c85c5f pkg:maven/net.bis5.mattermost4j/mattermost-models@0.24.0 cpe:2.3:a:mattermost:mattermost:0.24.0:::::::* CVE-2020-13891 NVD-CWE-noinfo "An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens aka MMSA-2020-0022." NVD MEDIUM 5.0 /AV:N/AC:L/Au:N/C:P/I:N/A:N HIGH 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N HIGH 20
test "Thu 13 Jan 2022 11:01:28 +0100" mattermost-models-0.24.0.jar net\bis5\mattermost4j\mattermost-models\0.24.0\mattermost-models-0.24.0.jar "" "" a08ae1087243043507a01f3a78d9368c 4a717527c8a7a89d82a15b4cc0d153a4a8c85c5f pkg:maven/net.bis5.mattermost4j/mattermost-models@0.24.0 cpe:2.3:a:mattermost:mattermost:0.24.0:::::::* CVE-2021-37860 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') "Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP." NVD LOW 2.6 /AV:N/AC:H/Au:N/C:N/I:P/A:N MEDIUM 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N HIGH 20
test "Thu 13 Jan 2022 11:01:28 +0100" mattermost-models-0.24.0.jar net\bis5\mattermost4j\mattermost-models\0.24.0\mattermost-models-0.24.0.jar "" "" a08ae1087243043507a01f3a78d9368c 4a717527c8a7a89d82a15b4cc0d153a4a8c85c5f pkg:maven/net.bis5.mattermost4j/mattermost-models@0.24.0 cpe:2.3:a:mattermost:mattermost:0.24.0:::::::* CVE-2021-37861 CWE-532 Information Exposure Through Log Files Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails. NVD MEDIUM 5.0 /AV:N/AC:L/Au:N/C:P/I:N/A:N HIGH 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N HIGH 20
test "Thu 13 Jan 2022 11:01:28 +0100" mattermost4j-core-0.24.0.jar net\bis5\mattermost4j\mattermost4j-core\0.24.0\mattermost4j-core-0.24.0.jar "" "" 23178dd309159df98206d28f293e55f4 6f060ab42504d5e014a6b0977487f64be43c10a9 pkg:maven/net.bis5.mattermost4j/mattermost4j-core@0.24.0 cpe:2.3:a:mattermost:mattermost:0.24.0:::::::* CVE-2019-20851 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to overwrite arbitrary files on a device. NVD MEDIUM 6.4 /AV:N/AC:L/Au:N/C:N/I:P/A:P CRITICAL 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H HIGH 20
test "Thu 13 Jan 2022 11:01:28 +0100" mattermost4j-core-0.24.0.jar net\bis5\mattermost4j\mattermost4j-core\0.24.0\mattermost4j-core-0.24.0.jar "" "" 23178dd309159df98206d28f293e55f4 6f060ab42504d5e014a6b0977487f64be43c10a9 pkg:maven/net.bis5.mattermost4j/mattermost4j-core@0.24.0 cpe:2.3:a:mattermost:mattermost:0.24.0:::::::* CVE-2020-13891 NVD-CWE-noinfo "An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens aka MMSA-2020-0022." NVD MEDIUM 5.0 /AV:N/AC:L/Au:N/C:P/I:N/A:N HIGH 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N HIGH 20
test "Thu 13 Jan 2022 11:01:28 +0100" mattermost4j-core-0.24.0.jar net\bis5\mattermost4j\mattermost4j-core\0.24.0\mattermost4j-core-0.24.0.jar "" "" 23178dd309159df98206d28f293e55f4 6f060ab42504d5e014a6b0977487f64be43c10a9 pkg:maven/net.bis5.mattermost4j/mattermost4j-core@0.24.0 cpe:2.3:a:mattermost:mattermost:0.24.0:::::::* CVE-2021-37860 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') "Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP." NVD LOW 2.6 /AV:N/AC:H/Au:N/C:N/I:P/A:N MEDIUM 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N HIGH 20
test "Thu 13 Jan 2022 11:01:28 +0100" mattermost4j-core-0.24.0.jar net\bis5\mattermost4j\mattermost4j-core\0.24.0\mattermost4j-core-0.24.0.jar "" "" 23178dd309159df98206d28f293e55f4 6f060ab42504d5e014a6b0977487f64be43c10a9 pkg:maven/net.bis5.mattermost4j/mattermost4j-core@0.24.0 cpe:2.3:a:mattermost:mattermost:0.24.0:::::::* CVE-2021-37861 CWE-532 Information Exposure Through Log Files Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails. NVD MEDIUM 5.0 /AV:N/AC:L/Au:N/C:P/I:N/A:N HIGH 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N HIGH 20
kinjelom commented 2 years ago

OWASP dependency-check PR: https://github.com/maruTA-bis5/mattermost4j/pull/456

Now 0.24.1-SNAPSHOT there are target/dependency-check-report.csv:

"Project","ScanDate","DependencyName","DependencyPath","Description","License","Md5","Sha1","Identifiers","CPE","CVE","CWE","Vulnerability","Source","CVSSv2_Severity","CVSSv2_Score","CVSSv2","CVSSv3_BaseSeverity","CVSSv3_BaseScore","CVSSv3","CPE Confidence","Evidence Count"
Mattermost APIv4 Client for Java,"Thu, 13 Jan 2022 11:44:52 +0100",mattermost-models-0.24.1-SNAPSHOT.jar,mattermost4j\mattermost-models\target\mattermost-models-0.24.1-SNAPSHOT.jar,"","",0bdf6fdaedf5bd2dd0c0870be3b128bb,9501dc7b6748ee1cb9e370955ad9785d24f29fe4,pkg:maven/net.bis5.mattermost4j/mattermost-models@0.24.1-SNAPSHOT,cpe:2.3:a:mattermost:mattermost:0.24.1:snapshot:*:*:*:*:*:*,CVE-2019-20851,CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'),An issue was discovered in Mattermost Mobile Apps before 1.26.0. An attacker can use directory traversal with the Video Preview feature to overwrite arbitrary files on a device.,NVD,MEDIUM,6.4,/AV:N/AC:L/Au:N/C:N/I:P/A:P,CRITICAL,9.1,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H,HIGH,19
Mattermost APIv4 Client for Java,"Thu, 13 Jan 2022 11:44:52 +0100",mattermost-models-0.24.1-SNAPSHOT.jar,mattermost4j\mattermost-models\target\mattermost-models-0.24.1-SNAPSHOT.jar,"","",0bdf6fdaedf5bd2dd0c0870be3b128bb,9501dc7b6748ee1cb9e370955ad9785d24f29fe4,pkg:maven/net.bis5.mattermost4j/mattermost-models@0.24.1-SNAPSHOT,cpe:2.3:a:mattermost:mattermost:0.24.1:snapshot:*:*:*:*:*:*,CVE-2020-13891,NVD-CWE-noinfo,"An issue was discovered in Mattermost Mobile Apps before 1.31.2 on iOS. Unintended third-party servers could sometimes obtain authorization tokens, aka MMSA-2020-0022.",NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:P/I:N/A:N,HIGH,7.5,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N,HIGH,19
Mattermost APIv4 Client for Java,"Thu, 13 Jan 2022 11:44:52 +0100",mattermost-models-0.24.1-SNAPSHOT.jar,mattermost4j\mattermost-models\target\mattermost-models-0.24.1-SNAPSHOT.jar,"","",0bdf6fdaedf5bd2dd0c0870be3b128bb,9501dc7b6748ee1cb9e370955ad9785d24f29fe4,pkg:maven/net.bis5.mattermost4j/mattermost-models@0.24.1-SNAPSHOT,cpe:2.3:a:mattermost:mattermost:0.24.1:snapshot:*:*:*:*:*:*,CVE-2021-37860,CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'),"Mattermost 5.38 and earlier fails to sufficiently sanitize clipboard contents, which allows a user-assisted attacker to inject arbitrary web script in product deployments that explicitly disable the default CSP.",NVD,LOW,2.6,/AV:N/AC:H/Au:N/C:N/I:P/A:N,MEDIUM,6.1,CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N,HIGH,19
Mattermost APIv4 Client for Java,"Thu, 13 Jan 2022 11:44:52 +0100",mattermost-models-0.24.1-SNAPSHOT.jar,mattermost4j\mattermost-models\target\mattermost-models-0.24.1-SNAPSHOT.jar,"","",0bdf6fdaedf5bd2dd0c0870be3b128bb,9501dc7b6748ee1cb9e370955ad9785d24f29fe4,pkg:maven/net.bis5.mattermost4j/mattermost-models@0.24.1-SNAPSHOT,cpe:2.3:a:mattermost:mattermost:0.24.1:snapshot:*:*:*:*:*:*,CVE-2021-37861,CWE-532 Information Exposure Through Log Files,Mattermost 6.0.2 and earlier fails to sufficiently sanitize user's password in audit logs when user creation fails.,NVD,MEDIUM,5.0,/AV:N/AC:L/Au:N/C:P/I:N/A:N,HIGH,7.5,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N,HIGH,19
maruTA-bis5 commented 2 years ago

These CVEs are about Mattermost Server (https://github.com/mattermost/mattermost). Mattermost4J is a REST API client and is not affected by these vulnerabilities.