Home

Description

Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

PUBLISHED Reserved 2025-04-08 | Published 2025-04-16 | Updated 2025-04-16 | Assigner Mattermost




MEDIUM: 5.3CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-208: Observable Timing Discrepancy

Product status

Default status
unaffected

10.5.0 (semver)
affected

10.6.0
unaffected

10.5.2
unaffected

Credits

Juho Forsén finder

References

mattermost.com/security-updates

cve.org (CVE-2025-27936)

nvd.nist.gov (CVE-2025-27936)

Download JSON