CVE-2025-14273

EUVD-2025-204707

22.12.2025, 12:16

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Mattermost	CNA	7.2 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 31%

Affected Products (NVD)

Vendor	Product	Version
mattermost	mattermost_server	10.11.0 ≤ 𝑥 < 10.11.8
mattermost	mattermost_server	10.12.0 ≤ 𝑥 < 10.12.4
mattermost	mattermost_server	11.0.0 ≤ 𝑥 < 11.0.6
mattermost	mattermost_server	11.1.0 ≤ 𝑥 < 11.1.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-303 - Incorrect Implementation of Authentication Algorithm
The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

References

https://mattermost.com/security-updates