CVE-2025-27936
published 2025-04-16CVE-2025-27936: Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time…
medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | mattermost_mattermost-plugin-msteams | >= 0 < 2.1.0 | 2.1.0 |
| github.com | mattermost_mattermost-server | >= 10.5.0+incompatible < 10.5.2+incompatible | 10.5.2+incompatible |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20250218121836-2b5275d87136 | 8.0.0-20250218121836-2b5275d87136 |
| github.com | mattermost_mattermost_server_v8 | >= 0 < 8.0.0-20250314142426-c049748b8863 | 8.0.0-20250314142426-c049748b8863 |
| github.com | mattermost_mattermost_server_v8 | >= 10.5.0 < 10.5.2 | 10.5.2 |
| mattermost | mattermost | 10.5.0 – 10.5.1 | — |
| mattermost | mattermost_server | < 10.5.2 | 10.5.2 |
| mattermost | ms_teams | < 2.1.0 | 2.1.0 |