3.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-24774

GHSA ID

GHSA-qr8f-cjw7-838m

EPSS Score

0.48179%

CWE

CWE-863

Published

2/9/2024

Updated

11/18/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24774

CVE-2024-24774: Mattermost Jira Plugin does not properly check security levels

Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.

(GitHub Advisory)

3.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-24774

GHSA ID

GHSA-qr8f-cjw7-838m

EPSS Score

0.48179%

CWE

CWE-863

Published

2/9/2024

Updated

11/18/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/mattermost/mattermost-plugin-jira	go	< 4.0.0-rc1	4.0.0-rc1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing security level validation in subscription handling. The commit 5f5e084 adds: 1) Security level field checks in matchesSubsciptionFilters 2) Security level permission validation in validateSubscription() 3) New getSecurityLevelsForProject helper. The original vulnerable versions lacked these checks, allowing users to create subscriptions without proper security level authorization. The functions directly handling subscription filtering and validation are the primary points of missing access control.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*tt*rmost Jir* Plu*in **n*lin* su*s*riptions **ils to ****k t** s**urity l*v*l o* *n in*omin* issu* or limit it **s** on t** us*r w*o *r**t** t** su*s*ription r*sultin* in r**ist*r** us*rs on Jir* **in* **l* to *r**t* w***ooks t**t *iv* t**m ****ss

Reasoning

T** vuln*r**ility st*ms *rom missin* s**urity l*v*l `v*li**tion` in su*s*ription **n*lin*. T** *ommit `*******` ***s: *) S**urity l*v*l *i*l* ****ks in `m*t***sSu*s*iption*ilt*rs` *) S**urity l*v*l p*rmission `v*li**tion` in `v*li**t*Su*s*ription()`

3.4

Basic Information

Concerned about an active attack path?

CVE-2024-24774: Mattermost Jira Plugin does not properly check security levels

3.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI