CVE-2020-2101Observable Discrepancy in Project Jenkins

CWE-203Observable DiscrepancyCWE-385Covert Timing ChannelCWE-208Observable Timing Discrepancy8 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
1.6%
top 18.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project JenkinsJenkins
Timeline
PublishedJan 29
Latest updateMay 24

Description

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

NVDjenkins/jenkins2.204.1+1
CVEListV5jenkins_project/jenkinsunspecified2.218+1

🔴Vulnerability Details

3
OSV
Non-constant time comparison of inbound TCP agent connection secret2022-05-24
GHSA
Non-constant time comparison of inbound TCP agent connection secret2022-05-24
CVEList
CVE-2020-2101: Jenkins 22020-01-29

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2020-01-292020-01-29
Red Hat
jenkins: Non-constant time comparison of inbound TCP agent connection secret2020-01-29

💬Community

2
Bugzilla
CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret2020-01-31
Bugzilla
CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret [fedora-all]2020-01-31
CVE-2020-2101 — Observable Discrepancy | cvebase