Lucene search

GitHub Advisory DatabaseGHSA-4FP6-574P-FC35

HistoryFeb 09, 2024 - 3:31 p.m.

Mattermost Jira Plugin vulnerable to Cross-Site Request Forgery

2024-02-0915:31:26

CWE-352

GitHub Advisory Database

github.com

mattermost

jira

plugin

cross-site request forgery

vulnerable

csrf

attack

software

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.5%

JSON

Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user’s Jira connection in Mattermost only by viewing the message.

Affected configurations

Vulners

Node

github.com\/mattermost\/mattermostserverRange<1.1.2-0.20230830170046-f4cf4c6de017

CPENameOperatorVersion
github.com/mattermost/mattermost-plugin-jiralt1.1.2-0.20230830170046-f4cf4c6de017

CPE	Name	Operator	Version
	github.com/mattermost/mattermost-plugin-jira	lt	1.1.2-0.20230830170046-f4cf4c6de017

References

github.com/advisories/GHSA-4fp6-574p-fc35

github.com/mattermost/mattermost-plugin-jira/commit/f4cf4c6de017ef6aa4428d393b78f418dd84cd8e

mattermost.com/security-updates

nvd.nist.gov/vuln/detail/CVE-2024-23319

pkg.go.dev/vuln/GO-2024-2539

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.5%

JSON

Related for GHSA-4FP6-574P-FC35