Mattermost Jira plugin user spoofing enables Jira request forgery.

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Description

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555

Basic Information

ID CVE-2025-14273

Source Mattermost

Published Dec 22, 2025 at 11:24

Modified Dec 22, 2025 at 12:59

Affected Product

Vendor Mattermost

Product Mattermost

Version 11.1.0

Affected Versions Mattermost Mattermost 11.1.0
Mattermost Mattermost 11.0.0
Mattermost Mattermost 10.12.0
Mattermost Mattermost 10.11.0

CWE Classification

CWE-303

References

mattermost.com /security-updates

{
    "lastseen": "",
    "description": "Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555",
    "published": "2025-12-22T11:24:55.893Z",
    "modified": "2025-12-22T12:59:27.938Z",
    "type": "cve",
    "title": "Mattermost Jira plugin user spoofing enables Jira request forgery.",
    "source": "Mattermost",
    "references": "https://mattermost.com/security-updates",
    "id": "CVE-2025-14273",
    "bulletinFamily": "",
    "cwe": [
        "CWE-303"
    ],
    "cvelist": null,
    "sourceData": "Mattermost Mattermost 11.1.0\nMattermost Mattermost 11.0.0\nMattermost Mattermost 10.12.0\nMattermost Mattermost 10.11.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Mattermost",
    "version": "11.1.0",
    "vendor": "Mattermost",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Mattermost Jira plugin user spoofing enables Jira request forgery._CVE-2025-14273