Vulnerabilities > CVE-2017-18883 - Insufficient Entropy vulnerability in Mattermost Server

CVSS 6.4 - MEDIUM

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

mattermost

CWE-331

NVD

Published: 2020-06-19

Updated: 2020-06-19

Summary

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.

Vulnerable Configurations

Part	Description	Count
Application	Mattermost Mattermost Mattermost Server 0.5.0 Mattermost Mattermost Server 0.6.0 Mattermost Mattermost Server 1.0.0 Mattermost Mattermost Server 1.1.0 Mattermost Mattermost Server 1.1.1 Mattermost Mattermost Server 1.2.0 Mattermost Mattermost Server 1.2.1 Mattermost Mattermost Server 1.3.0 Mattermost Mattermost Server 1.4.0 Mattermost Mattermost Server 2.0.0 Mattermost Mattermost Server 2.1.0 Mattermost Mattermost Server 2.2.0 Mattermost Mattermost Server 3.0.0 Mattermost Mattermost Server 3.0.1 Mattermost Mattermost Server 3.0.2 Mattermost Mattermost Server 3.0.3 Mattermost Mattermost Server 3.1.0 Mattermost Mattermost Server 3.2.0 Mattermost Mattermost Server 3.3.0 Mattermost Mattermost Server 3.4.0 Mattermost Mattermost Server 3.5.0 Mattermost Mattermost Server 3.5.1 Mattermost Mattermost Server 3.5.2 Mattermost Mattermost Server 3.5.3 Mattermost Mattermost Server 3.6.0 Mattermost Mattermost Server 3.6.1 Mattermost Mattermost Server 3.6.2 Mattermost Mattermost Server 3.6.3 Mattermost Mattermost Server 3.6.4 Mattermost Mattermost Server 3.6.5 Mattermost Mattermost Server 3.6.6 Mattermost Mattermost Server 3.6.7 Mattermost Mattermost Server 3.7.0 Mattermost Mattermost Server 3.7.1 Mattermost Mattermost Server 3.7.2 Mattermost Mattermost Server 3.7.3 Mattermost Mattermost Server 3.7.4 Mattermost Mattermost Server 3.7.5 Mattermost Mattermost Server 3.7.6 Mattermost Mattermost Server 3.8.0 Mattermost Mattermost Server 3.8.1 Mattermost Mattermost Server 3.8.2 Mattermost Mattermost Server 3.8.3 Mattermost Mattermost Server 3.9.0 Mattermost Mattermost Server 3.9.1 Mattermost Mattermost Server 3.9.2 Mattermost Mattermost Server 3.10.0 Mattermost Mattermost Server 3.10.1 Mattermost Mattermost Server 3.10.2 Mattermost Mattermost Server 3.10.3 Mattermost Mattermost Server 4.0.0 Mattermost Mattermost Server 4.0.1 Mattermost Mattermost Server 4.0.2 Mattermost Mattermost Server 4.0.3 Mattermost Mattermost Server 4.0.4 Mattermost Mattermost Server 4.0.5 Mattermost Mattermost Server 4.1.0 Mattermost Mattermost Server 4.1.1 Mattermost Mattermost Server 4.2.0 Mattermost Mattermost Server 4.3.0	81

Common Weakness Enumeration (CWE)

CWE-331 - Insufficient Entropy

Common Attack Pattern Enumeration and Classification (CAPEC)

Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

References

https://mattermost.com/security-updates/