x/vulndb: potential Go vuln in github.com/mattermost/mattermost-plugin-msteams: GHSA-2j87-p623-8cc2

[GoVulnBot]

Advisory GHSA-2j87-p623-8cc2 references a vulnerability in the following Go modules:

Module
github.com/mattermost/mattermost-plugin-msteams

Description:
Mattermost Plugin MSTeams versions <2.1.0 and Mattermost Server versions 10.5.x <=10.5.1 with the MS Teams plugin enabled fail to perform constant time comparison on a MSTeams plugin webhook secret which allows an attacker to retrieve the webhook secret of the MSTeams plugin via a timing attack during webhook secret comparison.

References:

• ADVISORY: GHSA-2j87-p623-8cc2
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-27936
• WEB: https://mattermost.com/security-updates

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/mattermost/mattermost-plugin-msteams
      non_go_versions:
        - introduced: TODO (earliest fixed "2.1.0", vuln range "<= 1.15.0")
        - fixed: 8.0.0-20250218121836-2b5275d87136
        - introduced: 10.5.0
        - fixed: 10.5.2
      vulnerable_at: 1.15.0
summary: Mattermost vulnerable to Observable Timing Discrepancy in github.com/mattermost/mattermost-plugin-msteams
cves:
    - CVE-2025-27936
ghsas:
    - GHSA-2j87-p623-8cc2
references:
    - advisory: https://github.com/advisories/GHSA-2j87-p623-8cc2
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-27936
    - web: https://mattermost.com/security-updates
source:
    id: GHSA-2j87-p623-8cc2
    created: 2025-04-16T15:01:57.709982017Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/665975 mentions this issue: data/reports: add 12 reports