Lucene search

K
osvGoogleOSV:GHSA-W7JR-WQW6-54XC
HistoryMay 24, 2022 - 5:07 p.m.

Non-constant time comparison of inbound TCP agent connection secret

2022-05-2417:07:40
Google
osv.dev
11
security flaw
tcp agent
connection secret
jenkins
lts
constant-time comparison
software

EPSS

0.002

Percentile

57.7%

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret.

Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.

EPSS

0.002

Percentile

57.7%