Lucene search

GoogleOSV:GHSA-2XPQ-5952-38W3

HistoryOct 25, 2023 - 6:32 p.m.

Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison

2023-10-2518:32:25

Google

osv.dev

jenkins

msteams

webhook trigger

plugin

vulnerability

non-constant time

token comparison

security

advisory

fix

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix.

CPENameOperatorVersion
io.jenkins.plugins:teams-webhook-triggereq0.1.0
io.jenkins.plugins:teams-webhook-triggereq0.1.1

CPE	Name	Operator	Version
	io.jenkins.plugins:teams-webhook-trigger	eq	0.1.0
	io.jenkins.plugins:teams-webhook-trigger	eq	0.1.1

References

www.openwall.com/lists/oss-security/2023/10/25/2

github.com/jenkinsci/teams-webhook-trigger-plugin

nvd.nist.gov/vuln/detail/CVE-2023-46658

www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2876

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for OSV:GHSA-2XPQ-5952-38W3