{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "4.0.5" }, { "introduced": "4.1.0" }, { "fixed": "4.1.1" }, { "introduced": "0" }, { "last_affected": "4.2.0-rc1" }, { "introduced": "0" }, { "last_affected": "4.2.0-rc2" }, { "introduced": "0" }, { "last_affected": "4.2.0-rc3" }, { "introduced": "0" }, { "last_affected": "4.2.0-rc4" } ] }, "events": [ { "introduced": "0" }, { "fixed": "ff513427371cd84e07b19c0586d419dbed976b31" }, { "introduced": "0033e3e37b12cb5d951d21492500d66a6abc472b" }, { "fixed": "5549c9149e80537d0f431b6b3ebf638c35568c4f" }, { "introduced": "0" }, { "last_affected": "f968c56890bd84295672ee0d46cc846cac2dbd47" }, { "introduced": "0" }, { "last_affected": "7018c187e13be731e4e8dc36b731b07128f030fa" }, { "introduced": "0" }, { "last_affected": "f4146835fe37856c0e109b819328772fa104ad80" }, { "introduced": "0" }, { "last_affected": "a5ce36d0882ae1b4b409a7b68233bf89591a5f95" } ], "repo": "https://github.com/mattermost/mattermost-server", "type": "GIT" } ] } ], "details": "An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Sometimes. resource-owner authorization is bypassed, allowing account takeover.", "id": "CVE-2017-18894", "modified": "2026-03-13T21:48:38.333629728Z", "published": "2020-06-19T19:15:10.967Z", "references": [ { "type": "ADVISORY", "url": "https://mattermost.com/security-updates/" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "type": "CVSS_V3" } ] }