CVE-2024-24774 – github.com/mattermost/mattermost-plugin-jira

Package

Manager: go
Name: github.com/mattermost/mattermost-plugin-jira
Vulnerable Version: >=0 <4.0.0-rc1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.0025 pctl0.48088

Details

Mattermost Jira Plugin does not properly check security levels Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.

Metadata

Created: 2024-02-09T15:31:27Z
Modified: 2024-11-18T16:26:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-qr8f-cjw7-838m/GHSA-qr8f-cjw7-838m.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-qr8f-cjw7-838m
Finding: F006
Auto approve: 1