CVE-2017-18883

EPSS 0.23%

Mattermost Server has low entropy for authorization data as an OAuth 2.0 Service Provider

Published: 5/24/2022Modified: 12/9/2025

Also known as:GHSA-w8cc-3h7q-jhc3GO-2025-4198

Description

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.

Affected packages (2)

Go/github.com/mattermost/mattermost-serverfrom 0, < 4.1.2
Go/github.com/mattermost/mattermost-serverfrom 0, < 4.1.2+incompatible, >= 4.2.0-rc1+incompatible, < 4.2.1+incompatible, >= 4.3.0-rc1+incompatible, < 4.3.0+incompatible

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References (4)

ADVISORYhttps://github.com/advisories/GHSA-w8cc-3h7q-jhc3
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-18883
PATCHhttps://github.com/mattermost/mattermost
WEBhttps://mattermost.com/security-updates