CVE-2025-14273Incorrect Implementation of Authentication Algorithm in Mattermost Mattermost-plugin-jira

CWE-303Incorrect Implementation of Authentication Algorithm6 documents5 sources
Severity
8.3HIGHNVD
CNA7.2
EPSS
0.1%
top 68.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Github.com Mattermost Mattermost-plugin-jiraGithub.com Mattermost Mattermost Server V8Mattermost Server+1 more
Timeline
PublishedDec 22
Latest updateJan 12

Description

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.7

Affected Packages4 packages

NVDmattermost/mattermost_server10.11.010.11.8+3
Gogithub.com/mattermost_mattermost_server_v8< 8.0.0-20251121122154-b57c297c6d7a
CVEListV5mattermost/mattermost11.1.011.1.0+3

🔴Vulnerability Details

4
OSV
Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm in github.com/mattermost/mattermost-plugin-jira2026-01-12
OSV
Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm2025-12-22
GHSA
Mattermost with Jira plugin enabled has Incorrect Implementation of Authentication Algorithm2025-12-22
CVEList
Mattermost Jira plugin user spoofing enables Jira request forgery.2025-12-22

🕵️Threat Intelligence

1
Wiz
CVE-2025-14273 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-14273 — HIGH severity | cvebase