GHSA-fpj7-9xm6-8hgr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fpj7-9xm6-8hgr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-fpj7-9xm6-8hgr/GHSA-fpj7-9xm6-8hgr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fpj7-9xm6-8hgr
- Aliases
- Published
- 2022-01-21T23:38:30Z
- Modified
- 2024-02-16T07:58:00.156125Z
- Severity
-
- 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Observable Discrepancy and Observable Timing Discrepancy in Jenkins Configuration as Code Plugin
- Details
-
Jenkins Configuration as Code Plugin prior to 1.55.1, 1.54.1, 1.53.1, and 1.47.1 does not use a constant-time comparison when checking whether two authentication tokens are equal.
This could potentially allow attackers to use statistical methods to obtain a valid authentication token.
Configuration as Code Plugin 1.55.1, 1.54.1, 1.53.1, and 1.47.1 now uses a constant-time comparison when validating authentication tokens.
- Database specific
{ "nvd_published_at": "2022-01-12T20:15:00Z", "cwe_ids": [ "CWE-203", "CWE-208" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2022-01-20T14:42:40Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-23106
- https://github.com/jenkinsci/configuration-as-code-plugin/commit/4f425675edf77d382a6fd10890f1a704ff3b2277
- https://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/23xxx/CVE-2022-23106.json
- https://github.com/jenkinsci/configuration-as-code-plugin
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2141
- http://www.openwall.com/lists/oss-security/2022/01/12/6
Affected packages
Maven / io.jenkins:configuration-as-code
Package
- Name
- io.jenkins:configuration-as-code
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins/configuration-as-code
Maven / io.jenkins:configuration-as-code
Package
- Name
- io.jenkins:configuration-as-code
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins/configuration-as-code
Maven / io.jenkins:configuration-as-code
Package
- Name
- io.jenkins:configuration-as-code
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins/configuration-as-code
Maven / io.jenkins:configuration-as-code
Package
- Name
- io.jenkins:configuration-as-code
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins/configuration-as-code
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.47.1
Affected versions
0.*
0.6-alpha
0.7-alpha
0.8-alpha
0.9-alpha
0.10-alpha
0.11-alpha
1.*
1.0-rc1
1.0-rc2
1.0-rc3
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
1.36
1.36.1-beta
1.36.2
1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44
1.45
1.46
1.47