Lucene search

GitHub Advisory DatabaseGHSA-G58X-57FV-86JH

HistorySep 06, 2023 - 3:30 p.m.

Jenkins Google Login Plugin non-constant time token comparison

2023-09-0615:30:26

CWE-697

GitHub Advisory Database

github.com

jenkins

google

plugin

vulnerability

non-constant time comparison

token

attackers

statistical methods

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

JSON

Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchs3

CPENameOperatorVersion
org.jenkins-ci.plugins:google-loginle1.7

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:google-login	le	1.7

References

www.openwall.com/lists/oss-security/2023/09/06/9

github.com/advisories/GHSA-g58x-57fv-86jh

github.com/jenkinsci/google-login-plugin/commit/2273af025ad06ee13ab73a5a070b10689c2db61e

nvd.nist.gov/vuln/detail/CVE-2023-41936

www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3228

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

JSON

Related for GHSA-G58X-57FV-86JH