Observable Timing Discrepancy

CVE-2025-27936

Medium

5.9/10

Summary

Mattermost Plugin MSTeams versions prior to 2.1.1 and Mattermost Server versions 10.5.x prior to 10.5.2 with the MS Teams plugin enabled fail to perform constant time comparison on an MSTeams plugin webhook secret, which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-208 - Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

Advisory
Pull request
MMSA-2025-00450

Advisory Timeline

Published Apr 16, 2025

Observable Timing Discrepancy

CVE-2025-27936

Summary

CWE-208 - Observable Timing Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS