-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the mattermost-plugin-jira Go package, specifically in how it handled authentication for post actions. The analysis of the security patch bf9a1b7e81eb83304056b397c6abab3b062e14a2 reveals the root cause.
Two functions, httpShareIssuePublicly and httpTransitionIssuePostAction in server/issue.go, were identified as vulnerable. Before the patch, both functions extracted the user's identity from the UserId field within the JSON payload of the incoming HTTP request (mattermostUserID := requestData.UserId). This is insecure because an unauthenticated attacker can freely control the content of the request body and thus spoof any user's ID.
The patch rectifies this by instead reading the user's ID from the Mattermost-User-ID HTTP header (authenticatedUserID := strings.TrimSpace(r.Header.Get(headerMattermostUserID))). This header is added by the Mattermost server itself during request proxying to the plugin, and is a trusted source of the authenticated user's identity.
Additionally, the patch introduces further security checks:
Mattermost-User-ID header is present.issueKey format to prevent path injection style attacks.Therefore, during exploitation, a profiler would show calls to Plugin.httpShareIssuePublicly or Plugin.httpTransitionIssuePostAction as these are the entry points that process the malicious, unauthenticated requests. The other commits listed are merely updates to the Mattermost server to include the patched version of the Jira plugin.
Plugin.httpShareIssuePubliclyserver/issue.go
Plugin.httpTransitionIssuePostActionserver/issue.go
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost/server/v8 | go | < 8.0.0-20251121122154-b57c297c6d7a | 8.0.0-20251121122154-b57c297c6d7a |
| github.com/mattermost/mattermost-plugin-jira | go | < 4.4.1 | 4.4.1 |