Lucene search

GoogleOSV:GHSA-8859-V9JP-CPHF

HistoryOct 25, 2023 - 6:32 p.m.

Jenkins Multibranch Scan Webhook Trigger Plugin uses non-constant time webhook token comparison

2023-10-2518:32:25

Google

osv.dev

jenkins

multibranch scan

webhook

trigger plugin

security issue

token comparison

attack

statistical methods

advisory

software

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

20.2%

JSON

Jenkins Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

As of publication of this advisory, there is no fix.

References

www.openwall.com/lists/oss-security/2023/10/25/2

github.com/jenkinsci/multibranch-scan-webhook-trigger-plugin

nvd.nist.gov/vuln/detail/CVE-2023-46656

www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2875

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

20.2%

JSON

Related for OSV:GHSA-8859-V9JP-CPHF