Lucene search

GitHub Advisory DatabaseGHSA-5R33-MGJF-6656

HistoryAug 16, 2023 - 3:30 p.m.

Jenkins Tuleap Authentication Plugin non-constant time token comparison

2023-08-1615:30:18

CWE-203

GitHub Advisory Database

github.com

jenkins

tuleap

authentication

plugin

security fix

token comparison

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

50.6%

JSON

Jenkins Tuleap Authentication Plugin 1.1.20 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Tuleap Authentication Plugin 1.1.21 uses a constant-time comparison when validating authentication tokens.

Affected configurations

Vulners

Node

io.jenkins.pluginstuleap-oauthRange<1.1.21

VendorProductVersionCPE
io.jenkins.pluginstuleap-oauth*cpe:2.3:a:io.jenkins.plugins:tuleap-oauth:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
io.jenkins.plugins	tuleap-oauth	*	cpe:2.3:a:io.jenkins.plugins:tuleap-oauth::::::::

References

www.openwall.com/lists/oss-security/2023/08/16/3

github.com/advisories/GHSA-5r33-mgjf-6656

nvd.nist.gov/vuln/detail/CVE-2023-40343

www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3229

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

50.6%

JSON

Related for GHSA-5R33-MGJF-6656