exploitDog

GHSA-fmqf-pmcm-8cx9

Опубликовано: 24 дек. 2025

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.

Ссылки

Пакеты

Наименование

github.com/mattermost/mattermost/server/v8

go

Затронутые версииВерсия исправления

< 8.0.0-20251121122154-b57c297c6d7

8.0.0-20251121122154-b57c297c6d7

Наименование

github.com/mattermost/mattermost-server

go

Затронутые версииВерсия исправления

>= 10.11.0, < 10.11.8

10.11.8

Наименование

github.com/mattermost/mattermost-server

go

Затронутые версииВерсия исправления

>= 10.12.0, < 10.12.4

10.12.4

Наименование

github.com/mattermost/mattermost-server

go

Затронутые версииВерсия исправления

>= 11.0.0, < 11.0.6

11.0.6

Наименование

github.com/mattermost/mattermost-server

go

Затронутые версииВерсия исправления

>= 11.1.0, < 11.1.1

11.1.1

EPSS

Процентиль: 10%

0.00034

Низкий

4.3 Medium

CVSS3

CVE ID

Дефекты

CWE-863

Связанные уязвимости

CVE-2025-13767

CVSS3: 4.3

nvd

около 1 месяца назад

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to.

CVE-2025-13767

CVSS3: 4.3

debian

около 1 месяца назад

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10. ...

EPSS

Процентиль: 10%

0.00034

Низкий

4.3 Medium

CVSS3

CVE ID

Дефекты

CWE-863