{ "schema_version": "1.4.0", "id": "GHSA-2j87-p623-8cc2", "modified": "2025-04-23T15:18:35Z", "published": "2025-04-16T12:31:19Z", "aliases": [ "CVE-2025-27936" ], "summary": "Mattermost vulnerable to Observable Timing Discrepancy", "details": "Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/mattermost/mattermost/server/v8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.5.0" }, { "fixed": "10.5.2" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/mattermost/mattermost/server/v8" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "8.0.0-20250314142426-c049748b8863" } ] } ] }, { "package": { "ecosystem": "Go", "name": "github.com/mattermost/mattermost-plugin-msteams" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.1.0" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 1.15.0" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27936" }, { "type": "PACKAGE", "url": "https://github.com/mattermost/mattermost" }, { "type": "WEB", "url": "https://mattermost.com/security-updates" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2025-3618" } ], "database_specific": { "cwe_ids": [ "CWE-208" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-16T14:58:55Z", "nvd_published_at": "2025-04-16T10:15:14Z" } }