CVE-2025-27936Observable Timing Discrepancy in Mattermost Mattermost-plugin-msteams

CWE-208Observable Timing Discrepancy5 documents4 sources
Severity
5.9MEDIUMNVD
CNA5.3
EPSS
0.2%
top 56.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Github.com Mattermost Mattermost-plugin-msteamsGithub.com Mattermost Mattermost-serverGithub.com Mattermost Mattermost Server V8+3 more
Timeline
PublishedApr 16
Latest updateApr 22

Description

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages6 packages

NVDmattermost/ms_teams< 2.1.0
Gogithub.com/mattermost_mattermost-server10.5.0+incompatible10.5.2+incompatible

🔴Vulnerability Details

4
OSV
Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams2025-04-22
GHSA
Mattermost vulnerable to Observable Timing Discrepancy2025-04-16
CVEList
Webhook Secret Exposure via Timing attack in MSteams plugin2025-04-16
OSV
Mattermost vulnerable to Observable Timing Discrepancy2025-04-16
CVE-2025-27936 — Observable Timing Discrepancy | cvebase