cve-2025-31363
Vulnerability from cvelistv5
Published
2025-04-16 09:14
Modified
2025-04-16 14:33
Severity ?
EPSS score ?
Summary
Data exfiltration via AI plugin Jira tool
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mattermost | Mattermost |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31363",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T14:19:20.968987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T14:33:01.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mattermost",
"vendor": "Mattermost",
"versions": [
{
"lessThanOrEqual": "10.4.2",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"status": "affected",
"version": "10.5.0"
},
{
"lessThanOrEqual": "9.11.9",
"status": "affected",
"version": "9.11.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "10.6.0"
},
{
"status": "unaffected",
"version": "10.4.3"
},
{
"status": "unaffected",
"version": "10.5.1"
},
{
"status": "unaffected",
"version": "9.11.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Juho Fors\u00e9n"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMattermost versions 10.4.x \u0026lt;= 10.4.2, 10.5.x \u0026lt;= 10.5.0, 9.11.x \u0026lt;= 9.11.9 fail to restrict domains the LLM can request to contact upstream\u0026nbsp;which allows an authenticated user to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexfiltrate data from an arbitrary server accessible to the victim via\u003c/span\u003e performing a prompt injection\u0026nbsp;in the AI plugin\u0027s Jira tool.\u003c/p\u003e"
}
],
"value": "Mattermost versions 10.4.x \u003c= 10.4.2, 10.5.x \u003c= 10.5.0, 9.11.x \u003c= 9.11.9 fail to restrict domains the LLM can request to contact upstream\u00a0which allows an authenticated user to\u00a0exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection\u00a0in the AI plugin\u0027s Jira tool."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1426",
"description": "CWE-1426: Improper Validation of Generative AI Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T09:14:15.992Z",
"orgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"shortName": "Mattermost"
},
"references": [
{
"url": "https://mattermost.com/security-updates"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUpdate Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.10 or higher.\u003c/p\u003e"
}
],
"value": "Update Mattermost to versions 10.6.0, 10.4.3, 10.5.1, 9.11.10 or higher."
}
],
"source": {
"advisory": "MMSA-2024-00401",
"defect": [
"https://mattermost.atlassian.net/browse/MM-61473"
],
"discovery": "INTERNAL"
},
"title": "Data exfiltration via AI plugin Jira tool",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9302f53e-dde5-4bf3-b2f2-a83f91ac0eee",
"assignerShortName": "Mattermost",
"cveId": "CVE-2025-31363",
"datePublished": "2025-04-16T09:14:15.992Z",
"dateReserved": "2025-04-08T07:50:19.617Z",
"dateUpdated": "2025-04-16T14:33:01.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-31363\",\"sourceIdentifier\":\"responsibledisclosure@mattermost.com\",\"published\":\"2025-04-16T10:15:15.170\",\"lastModified\":\"2025-04-16T13:25:37.340\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mattermost versions 10.4.x \u003c= 10.4.2, 10.5.x \u003c= 10.5.0, 9.11.x \u003c= 9.11.9 fail to restrict domains the LLM can request to contact upstream\u00a0which allows an authenticated user to\u00a0exfiltrate data from an arbitrary server accessible to the victim via performing a prompt injection\u00a0in the AI plugin\u0027s Jira tool.\"},{\"lang\":\"es\",\"value\":\"Las versiones de Mattermost 10.4.x \u0026lt;= 10.4.2, 10.5.x \u0026lt;= 10.5.0, 9.11.x \u0026lt;= 9.11.9 no restringen los dominios que LLM puede solicitar para contactar ascendentemente, lo que permite que un usuario autenticado extraiga datos de un servidor arbitrario accesible para la v\u00edctima mediante la realizaci\u00f3n de una inyecci\u00f3n r\u00e1pida en la herramienta Jira del complemento de IA.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"responsibledisclosure@mattermost.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N\",\"baseScore\":3.0,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":1.4}]},\"references\":[{\"url\":\"https://mattermost.com/security-updates\",\"source\":\"responsibledisclosure@mattermost.com\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.