GHSA-f67f-2j6r-m4c9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f67f-2j6r-m4c9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f67f-2j6r-m4c9/GHSA-f67f-2j6r-m4c9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f67f-2j6r-m4c9
- Aliases
- Published
- 2024-01-24T18:31:02Z
- Modified
- 2024-02-16T08:22:15.195882Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Non-constant time webhook token comparison in Jenkins GitLab Branch Source Plugin
- Details
-
Jenkins GitLab Branch Source Plugin 684.veafa7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
GitLab Branch Source Plugin 688.v5fa_356ee8520 uses a constant-time comparison function when validating the webhook token.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2024-01-24T21:50:51Z", "cwe_ids": [ "CWE-697" ], "severity": "LOW", "nvd_published_at": "2024-01-24T18:15:09Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-23903
- https://github.com/jenkinsci/gitlab-branch-source-plugin/commit/8bfe1046cf342b99419457b9336addbbf346f89a
- https://github.com/jenkinsci/gitlab-branch-source-plugin
- https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-2871
- http://www.openwall.com/lists/oss-security/2024/01/24/6
Affected packages
Maven / io.jenkins.plugins:gitlab-branch-source
Package
- Name
- io.jenkins.plugins:gitlab-branch-source
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins.plugins/gitlab-branch-source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed688.v5fa
Affected versions
0.*
0.0.5-alpha-2
0.0.7-beta
0.0.8-beta
1.*
1.0.0
1.1.0
1.1.1-alpha
1.1.2-alpha
1.2.0
1.2.1
1.2.2
1.3.0
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
621.*
621.vd49608f876da_
623.*
623.vcc98dc4b_0ce4
625.*
625.v85cf3a_400cfe
628.*
628.ve99e3d4df4b_8
629.*
629.vb_cc76608e806
630.*
630.v04ca_c57fa_880
633.*
633.ved9984f943da_
636.*
636.v55fd8144d335
640.*
640.v7101b_1c0def9
642.*
642.v9ed86b_b_54384
643.*
643.vdc12a_4a_06434
644.*
644.va_a_66886e07b_5
645.*
645.v62a_b_6fce8659
646.*
646.vb_9560d64b_69f
647.*
647.vdee7766b_cfa_e
649.*
649.v0dda_db_88b_5ee
650.*
650.va_d1ce6d01959
659.*
659.va_685a_51fda_db_
660.*
660.vd45c0f4c0042
663.*
663.v2602c3e6376d
664.*
664.v877fdc293c89
670.*
670.vf7df45517001
671.*
671.v67b_7169092ca_
672.*
672.vd8b_0b_b_a_db_1b_3
677.*
677.v0b_63b_038322b_
679.*
679.v1dfd3604d46e
680.*
680.vc179a_1a_37915
684.*
684.vea_fa_7c1e2fe3