Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret.
Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.
www.openwall.com/lists/oss-security/2020/01/29/1
access.redhat.com/errata/RHBA-2020:0402
access.redhat.com/errata/RHBA-2020:0675
access.redhat.com/errata/RHSA-2020:0681
access.redhat.com/errata/RHSA-2020:0683
github.com/jenkinsci/jenkins
github.com/jenkinsci/jenkins/commit/0ba36508187ff771bba87feaf03057496775064c
jenkins.io/security/advisory/2020-01-29/#SECURITY-1659
nvd.nist.gov/vuln/detail/CVE-2020-2101