CVE-2022-23106
LOW3.7EPSS 0.09%Observable Discrepancy and Observable Timing Discrepancy in Jenkins Configuration as Code Plugin
Published: 1/21/2022Modified: 2/16/2024
Description
Jenkins Configuration as Code Plugin prior to 1.55.1, 1.54.1, 1.53.1, and 1.47.1 does not use a constant-time comparison when checking whether two authentication tokens are equal. This could potentially allow attackers to use statistical methods to obtain a valid authentication token. Configuration as Code Plugin 1.55.1, 1.54.1, 1.53.1, and 1.47.1 now uses a constant-time comparison when validating authentication tokens.
Affected packages (1)
- Maven/io.jenkins:configuration-as-code>= 1.55, < 1.55.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23106
- PATCHhttps://github.com/jenkinsci/configuration-as-code-plugin
- WEBhttps://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/23xxx/CVE-2022-23106.json
- WEBhttps://github.com/jenkinsci/configuration-as-code-plugin/commit/4f425675edf77d382a6fd10890f1a704ff3b2277
- WEBhttps://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2141
- WEBhttp://www.openwall.com/lists/oss-security/2022/01/12/6