Lucene search

GitHub Advisory DatabaseGHSA-F9F9-4R63-4QCC

HistoryOct 19, 2022 - 7:00 p.m.

Non-constant time webhook token comparison in Jenkins GitLab Plugin

2022-10-1919:00:22

CWE-203

CWE-208

GitHub Advisory Database

github.com

jenkins

gitlab plugin

webhook token.

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

33.7%

JSON

GitLab Plugin 1.5.35 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

GitLab Plugin 1.5.36 uses a constant-time comparison when validating the webhook token.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchjdk_parameter_plugin

CPENameOperatorVersion
org.jenkins-ci.plugins:gitlab-pluginle1.5.35

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:gitlab-plugin	le	1.5.35

References

www.openwall.com/lists/oss-security/2022/10/19/3

github.com/advisories/GHSA-f9f9-4r63-4qcc

github.com/jenkinsci/gitlab-plugin/commit/882f84c6a42b42b74ff7c9803d814f61b8fde0ed

nvd.nist.gov/vuln/detail/CVE-2022-43411

www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2877

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

33.7%

JSON

Related for GHSA-F9F9-4R63-4QCC