Primary

Context

Mattermost MSTeams Plugin Webhook Secret Timing Attack Vulnerability

Vulnerability

Patched

A vulnerability exists in the Mattermost MSTeams Plugin, affecting versions prior to 2.1.0, and in Mattermost Server versions 10.5.x up to 10.5.1, when the MS Teams plugin is enabled. The issue arises because these versions do not perform constant-time comparisons of the MSTeams plugin webhook secret. This flaw allows an attacker to exploit a timing attack to retrieve the webhook secret during the comparison process.

Impact

Exploitation of this vulnerability allows for the retrieval of the MSTeams plugin webhook secret, which could potentially be misused in the context of the plugin's functionality.

Remediation

Users are advised to update to Mattermost MSTeams Plugin version 2.1.0 or later and to upgrade Mattermost Server to version 10.5.2 or later.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost MSTeams Plugin Webhook Secret Timing Attack Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating