CVE-2017-18883
Description
An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mattermost Server before 4.3.0, 4.2.1, and 4.1.2 has an OAuth 2.0 authorization data entropy weakness.
Vulnerability
Overview
When Mattermost Server is configured as an OAuth 2.0 Service Provider, the authorization data generated for OAuth flows has low entropy. This means the tokens or authorization codes are not sufficiently random, making them predictable to an attacker. The issue affects Mattermost Server versions prior to 4.3.0, 4.2.1, and 4.1.2 [1].
Exploitation and
Attack Surface
The vulnerability is present in the OAuth 2.0 provider functionality of Mattermost. An attacker who can obtain or predict the low-entropy authorization data could gain unauthorized access. No authentication is required to initiate an OAuth flow, but the attacker must be able to interact with the Mattermost OAuth endpoints. The low entropy reduces the difficulty of brute-force or prediction attacks on authorization codes or tokens [1].
Impact
Successful exploitation could allow an attacker to impersonate a legitimate user or application in the OAuth flow, potentially gaining access to resources that should be protected. The exact impact depends on the OAuth scope and permissions granted, but it could lead to unauthorized data access or privilege escalation within the Mattermost system [1].
Mitigation
The vulnerability is fixed in Mattermost Server versions 4.3.0, 4.2.1, and 4.1.2. Users should upgrade to one of these releases or later to ensure adequate entropy in OAuth authorization data. The Mattermost project provides security updates and encourages users to subscribe to security bulletins for timely notifications [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost-serverGo | < 4.1.2 | 4.1.2 |
github.com/mattermost/mattermost-serverGo | >= 4.2.0-rc1, < 4.2.1 | 4.2.1 |
github.com/mattermost/mattermost-serverGo | >= 4.3.0-rc1, < 4.3.0 | 4.3.0 |
Affected products
4- Mattermost/Serverdescription
- ghsa-coords3 versionspkg:golang/github.com/mattermost/mattermost-serverpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6
< 4.1.2+ 2 more
- (no CPE)range: < 4.1.2
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
- (no CPE)range: < 0.0.20251209T172047-150000.1.127.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-w8cc-3h7q-jhc3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-18883ghsaADVISORY
- mattermost.com/security-updatesghsaWEB
- mattermost.com/security-updates/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.