CVE-2025-14273
- Source
- https://cve.org/CVERecord?id=CVE-2025-14273
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-14273.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-14273
- Aliases
- Downstream
- Related
- Published
- 2025-12-22T12:16:19.240Z
- Modified
- 2026-03-23T05:03:16.264713960Z
- Severity
-
- 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions <=4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows a valid user ID to issue authenticated GET and POST requests to the Jira server via crafted plugin payloads that spoof the user ID and inject arbitrary issue key paths. Mattermost Advisory ID: MMSA-2025-00555
- References
Affected packages
Git / github.com/mattermost/mattermost-server
Affected versions
@mattermost/client@10.*
@mattermost/client@10.11.0
@mattermost/client@10.12.0
@mattermost/client@11.*
@mattermost/client@11.1.0
@mattermost/types@10.*
@mattermost/types@10.11.0
@mattermost/types@10.12.0
@mattermost/types@11.*
@mattermost/types@11.1.0
mattermost-redux@10.*
mattermost-redux@10.11.0
mattermost-redux@10.12.0
mattermost-redux@11.*
mattermost-redux@11.1.0
v10.*
v10.11.0
v10.11.0-rc3
v10.11.1
v10.11.1-rc1
v10.11.2
v10.11.2-rc1
v10.11.2-rc2
v10.11.3
v10.11.4
v10.11.4-rc1
v10.11.4-rc2
v10.11.4-rc3
v10.11.5
v10.11.6
v10.11.7
v10.12.0
v10.12.0-rc1
v10.12.0-rc2
v10.12.0-rc3
v10.12.1
v10.12.1-rc1
v10.12.2
v10.12.3
v11.*
v11.1.0
v11.1.0-rc4
v11.1.1-rc1
v11.1.1-rc2