Skip to content

[GHSA-9pj7-jh2r-87g8] Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts#6930

Closed
cai0duque wants to merge 1 commit intocai0duque/advisory-improvement-6930from
cai0duque-GHSA-9pj7-jh2r-87g8
Closed

[GHSA-9pj7-jh2r-87g8] Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts#6930
cai0duque wants to merge 1 commit intocai0duque/advisory-improvement-6930from
cai0duque-GHSA-9pj7-jh2r-87g8

Conversation

@cai0duque
Copy link

@cai0duque cai0duque commented Feb 17, 2026

Updates

  • CVSS v3
  • CVSS v4
  • CWEs
  • Description

Comments
Added CVSS 4.0 metrics to provide a modern severity assessment. More importantly, added CWE-639 (Authorization Bypass Through User-Controlled Key) as the primary weakness, as the vulnerability description explicitly describes an Insecure Direct Object Reference (IDOR) scenario where providing a post ID bypasses access checks.

Copilot AI review requested due to automatic review settings February 17, 2026 09:08
@github-actions github-actions bot changed the base branch from main to cai0duque/advisory-improvement-6930 February 17, 2026 09:10
Copilot AI reviewed Feb 17, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates a GitHub Security Advisory (GHSA-9pj7-jh2r-87g8) for a Mattermost vulnerability by modernizing its severity assessment and improving vulnerability classification.

Changes:

  • Upgraded CVSS scoring from v3.1 to v4.0
  • Enhanced vulnerability description with clearer explanation of the IDOR attack vector
  • Added CWE-639 (Authorization Bypass Through User-Controlled Key) as primary weakness classification
Comments suppressed due to low confidence (1)

advisories/github-reviewed/2026/02/GHSA-9pj7-jh2r-87g8/GHSA-9pj7-jh2r-87g8.json:1

  • The advisory path contains '2026/02' which appears to be a future date. Security advisories should typically reflect the date when the vulnerability was disclosed or the advisory was created, not future dates. Verify this is intentional or correct the year to 2025 if this is a mistake.
{

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@shelbyc
Copy link
Contributor

shelbyc commented Feb 17, 2026

Hi @cai0duque, I'm retaining the CVSS 3.1 value and value of CWE-863 provided by the Mattermost, Inc CNA because they accurately describe the vulnerability. There is no need to add CVSS 4.0 with an accurate CVSS 3.1 already present, and to me the CVE description is consistent with CWE-863, not CWE-639.

@shelbyc shelbyc closed this Feb 17, 2026
@github-actions github-actions bot deleted the cai0duque-GHSA-9pj7-jh2r-87g8 branch February 17, 2026 21:37
@cai0duque
Copy link
Author

cai0duque commented Feb 17, 2026

Hi @shelbyc, thanks for the clarification.

I understand the policy to prioritize consistency with the CNA's original assessment. I'll refrain from proposing CVSS 4.0 additions or CWE refinements for CNA-managed advisories unless there is a functional error in the existing data. Thanks for the review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cai0duque @shelbyc

Comments