Low severityNVD Advisory· Published Feb 9, 2024· Updated Aug 1, 2024
CSRF issue allows disconnecting a user's Jira connection through a simple post message (Jira Plugin)
CVE-2024-23319
Description
Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-plugin-jiraGo | < 1.1.2-0.20230830170046-f4cf4c6de017 | 1.1.2-0.20230830170046-f4cf4c6de017 |
Affected products
1- Range: 0
Patches
1f4cf4c6de017[MM-52755] Change user disconnect to HTTP POST (#951)
3 files changed · +27 −3
assets/templates/oauth1/complete.html+22 −1 modified@@ -14,6 +14,7 @@ .btn { -webkit-transition: all 0.15s ease; -webkit-transition-delay: 0s; + transition-delay: 0s; -moz-transition: all 0.15s ease; -o-transition: all 0.15s ease; transition: all 0.15s ease false; @@ -54,6 +55,26 @@ margin-right: 4px; } </style> + <script> + const handleDisconnect = () => { + // Splitting the cookies string on the basis of cookie name and then popping out the first value. + const token = ('; ' + document.cookie).split('; MMCSRF=').pop().split(';')[0]; + + fetch("{{ .RevokeURL }}", { + method: "POST", + headers: {'X-CSRF-Token': token}, + }).then(res => { + const element = document.body; + if(!res.ok) { + element.style.margin = "10px"; + } else { + window.close(); + } + + return res.text().then(text => element.innerHTML = text); + }) + } + </script> <link rel="stylesheet" href="https://unpkg.com/@atlaskit/css-reset@2.0.0/dist/bundle.css" media="all"> </head> <body> @@ -68,7 +89,7 @@ <h3> <div>Mattermost account: {{ .MattermostDisplayName }}</div> <div>Jira account: {{ .JiraDisplayName }}</div> </div> - <a href="{{ .RevokeURL }}" class="btn btn-link">Disconnect</a> + <button onclick="handleDisconnect()" class="btn btn-link">Disconnect</button> </div> </body> </html>
server/http.go+1 −1 modified@@ -121,7 +121,7 @@ func (p *Plugin) initializeRouter() { // Oauth1 (Jira Server) instanceRouter.HandleFunc(routeOAuth1Complete, p.checkAuth(p.handleResponseWithCallbackInstance(p.httpOAuth1aComplete))).Methods(http.MethodGet) - instanceRouter.HandleFunc(routeUserDisconnect, p.checkAuth(p.handleResponseWithCallbackInstance(p.httpOAuth1aDisconnect))).Methods(http.MethodGet) + instanceRouter.HandleFunc(routeUserDisconnect, p.checkAuth(p.handleResponseWithCallbackInstance(p.httpOAuth1aDisconnect))).Methods(http.MethodPost) // OAuth2 (Jira Cloud) instanceRouter.HandleFunc(routeOAuth2Complete, p.handleResponseWithCallbackInstance(p.httpOAuth2Complete)).Methods(http.MethodGet)
server/user_server.go+4 −1 modified@@ -121,10 +121,13 @@ func (p *Plugin) httpOAuth1aComplete(w http.ResponseWriter, r *http.Request, ins func (p *Plugin) httpOAuth1aDisconnect(w http.ResponseWriter, r *http.Request, instanceID types.ID) (int, error) { mattermostUserID := r.Header.Get("Mattermost-User-Id") - _, err := p.DisconnectUser(instanceID.String(), types.ID(mattermostUserID)) + conn, err := p.DisconnectUser(instanceID.String(), types.ID(mattermostUserID)) if err != nil { return respondErr(w, http.StatusInternalServerError, err) } + if _, err := p.CreateBotDMtoMMUserID(mattermostUserID, "You have successfully disconnected your Jira account (**%s**).", conn.DisplayName); err != nil { + return respondErr(w, http.StatusInternalServerError, err) + } return p.respondSpecialTemplate(w, "/other/message.html", http.StatusOK, "text/html", struct {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.