Insufficient Entropy in Mattermost Server - CVE-2017-18883

 

Insufficient Entropy in Mattermost Server - CVE-2017-18883

Published: June 19, 2020 / Updated: July 17, 2020


Vulnerability identifier: #VU30195
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-18883
CWE-ID: CWE-331
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mattermost, Inc.
Affected software:
Mattermost Server

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2, when serving as an OAuth 2.0 Service Provider. There is low entropy for authorization data.


How to mitigate CVE-2017-18883

Install update from vendor's website.

Sources