CVE-2025-44001: Mattermost Confluence Plugin has Missing Authorization vulnerability
4
Basic Information
GoTechnical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost-plugin-confluence | go | < 1.5.0 | 1.5.0 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
An analysis of the security vulnerability in the Mattermost Confluence Plugin reveals a missing authorization flaw. This vulnerability allows an attacker to access channel subscription details without having the necessary permissions. The flaw exists in versions prior to 1.5.0 of the plugin.
The root cause of this vulnerability lies in the handleGetChannelSubscriptions function, located in the server/subscriptions.go file. In the vulnerable versions, this function failed to verify if the user making the request was a member of the channel for which they were requesting subscription information. This oversight meant that any authenticated user could query the endpoint and retrieve subscription details for any channel, even if they were not a member of it.
The patch for this vulnerability, introduced in commit de0a3d4c9eefa013e7d9f7a18d82eeced63322e6, rectifies this issue by adding an explicit channel access check. The corrected code now retrieves the user's ID from the request context and uses the hasChannelAccess function to verify that the user is a member of the specified channel before proceeding to fetch and return the subscription details. This ensures that only authorized users can access the subscription information for a given channel.