Lucene search

GitHub Advisory DatabaseGHSA-8859-V9JP-CPHF

HistoryOct 25, 2023 - 6:32 p.m.

Jenkins Multibranch Scan Webhook Trigger Plugin uses non-constant time webhook token comparison

2023-10-2518:32:25

CWE-208

CWE-697

GitHub Advisory Database

github.com

jenkins

multibranch

scan

webhook

trigger

plugin

vulnerability

token

comparison

security

advisory

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix.

Affected configurations

Vulners

Node

jenkinsmultibranch_scan_webhook_triggerRange≤1.0.9jenkins

CPENameOperatorVersion
igalg.jenkins.plugins:multibranch-scan-webhook-triggerle1.0.9

CPE	Name	Operator	Version
	igalg.jenkins.plugins:multibranch-scan-webhook-trigger	le	1.0.9

References

www.openwall.com/lists/oss-security/2023/10/25/2

github.com/advisories/GHSA-8859-v9jp-cphf

nvd.nist.gov/vuln/detail/CVE-2023-46656

www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2875

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for GHSA-8859-V9JP-CPHF