Lucene search

GitHub Advisory DatabaseGHSA-2JXX-2X93-2Q2F

HistoryOct 19, 2022 - 7:00 p.m.

Non-constant time webhook token comparison in Jenkins Generic Webhook Trigger Plugin

2022-10-1919:00:22

CWE-203

CWE-208

GitHub Advisory Database

github.com

jenkins

webhook

token

comparison

1.84.1

1.84.2

security flaw

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

33.5%

JSON

Generic Webhook Trigger Plugin 1.84.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

Generic Webhook Trigger Plugin 1.84.2 uses a constant-time comparison when validating the webhook token.

Affected configurations

Vulners

Node

org.jenkins-ci.pluginsgeneric-webhook-triggerRange<1.84.2

VendorProductVersionCPE
org.jenkins-ci.pluginsgeneric-webhook-trigger*cpe:2.3:a:org.jenkins-ci.plugins:generic-webhook-trigger:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.jenkins-ci.plugins	generic-webhook-trigger	*	cpe:2.3:a:org.jenkins-ci.plugins:generic-webhook-trigger::::::::

References

www.openwall.com/lists/oss-security/2022/10/19/3

github.com/advisories/GHSA-2jxx-2x93-2q2f

nvd.nist.gov/vuln/detail/CVE-2022-43412

www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2874

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

33.5%

JSON

Related for GHSA-2JXX-2X93-2Q2F