Lucene search

GoogleOSV:GHSA-F67F-2J6R-M4C9

HistoryJan 24, 2024 - 6:31 p.m.

Non-constant time webhook token comparison in Jenkins GitLab Branch Source Plugin

2024-01-2418:31:02

Google

osv.dev

jenkins

gitlab

webhook

token

comparison

security

vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.0%

JSON

Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

GitLab Branch Source Plugin 688.v5fa_356ee8520 uses a constant-time comparison function when validating the webhook token.

References

www.openwall.com/lists/oss-security/2024/01/24/6

github.com/jenkinsci/gitlab-branch-source-plugin

github.com/jenkinsci/gitlab-branch-source-plugin/commit/8bfe1046cf342b99419457b9336addbbf346f89a

nvd.nist.gov/vuln/detail/CVE-2024-23903

www.jenkins.io/security/advisory/2024-01-24/#SECURITY-2871

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.0%

JSON

Related for OSV:GHSA-F67F-2J6R-M4C9