-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
GoGo| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/mattermost/mattermost/server/v8 | go | >= 10.5.0, < 10.5.2 | 10.5.2 |
| github.com/mattermost/mattermost-plugin-msteams | go | <= 1.15.0 | 2.1.0 |
| github.com/mattermost/mattermost/server/v8 | go | < 8.0.0-20250314142426-c049748b8863 | 8.0.0-20250314142426-c049748b8863 |
Miggo AIRoot Cause AnalysisThe vulnerability description clearly states a timing discrepancy in the MSTeams plugin webhook secret comparison. I started by examining the patched versions. The commit for v2.1.0 of mattermost-plugin-msteams was only a dependency update, indicating the fix was earlier. The server-side patches seemed unrelated to this specific vulnerability. By comparing versions v1.15.0 and v2.1.0 of the plugin, I identified commit cb17aca914577bff27d93f0f53cd6d2890530eab as a large refactoring. Analyzing this commit's changes to server/api.go revealed the direct fix: the processActivity function was modified to use subtle.ConstantTimeCompare for webhook secret validation, replacing the vulnerable direct string comparison. This directly addresses the described timing attack.
Ongoing coverage of React2Shell