CVE-2024-24774

LOW3.4EPSS 0.29%

Mattermost Jira Plugin does not properly check security levels in github.com/mattermost/mattermost-plugin-jira

Published: 2/9/2024Modified: 4/3/2025

Description

Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.

Affected packages (3)

Bitnami/mattermostfrom 0, < 9.6.1
Go/github.com/mattermost/mattermost-plugin-jirafrom 0, < 4.0.0-rc1
Go/github.com/mattermost/mattermost-plugin-jirafrom 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N
osv	CVSS 3.1	LOW3.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

References (5)

ADVISORYhttps://github.com/advisories/GHSA-qr8f-cjw7-838m
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-24774
PATCHmattermost/mattermost-plugin-jira
WEBhttps://github.com/mattermost/mattermost-plugin-jira/commit/5f5e084d169bf6b82d5c46a7a7eb033e1a01c6de
WEBhttps://mattermost.com/security-updates