CVE-2024-23319

LOW3.5EPSS 0.10%

Mattermost Jira Plugin vulnerable to Cross-Site Request Forgery

Published: 2/9/2024Modified: 3/18/2024

Also known as:GHSA-4fp6-574p-fc35BIT-mattermost-2024-23319GO-2024-2539

Description

Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.

Affected packages (3)

Bitnami/mattermostfrom 0, < 9.6.1
Go/github.com/mattermost/mattermost-plugin-jirafrom 0, < 1.1.2-0.20230830170046-f4cf4c6de017
Go/github.com/mattermost/mattermost-plugin-jirafrom 0, < 1.1.2-0.20230830170046-f4cf4c6de017

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-23319
PATCHhttps://github.com/mattermost/mattermost-plugin-jira
WEBhttps://github.com/mattermost/mattermost-plugin-jira/commit/f4cf4c6de017ef6aa4428d393b78f418dd84cd8e
WEBhttps://mattermost.com/security-updates
WEBhttps://pkg.go.dev/vuln/GO-2024-2539