Описание
Mattermost vulnerable to Observable Timing Discrepancy
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.
Пакеты
github.com/mattermost/mattermost/server/v8
>= 10.5.0, < 10.5.2
10.5.2
github.com/mattermost/mattermost/server/v8
< 8.0.0-20250314142426-c049748b8863
8.0.0-20250314142426-c049748b8863
github.com/mattermost/mattermost-plugin-msteams
<= 1.15.0
2.1.0
Связанные уязвимости
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.