CVE-2020-2102 — Observable Discrepancy in Project Jenkins

Severity

5.3MEDIUMNVD

EPSS

1.5%

top 18.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedJan 29

Latest updateMay 24

Description

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier used a non-constant time comparison function when validating an HMAC.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

▶CVEListV5jenkins_project/jenkinsunspecified — 2.218+1

OSV

Non-constant time HMAC comparison↗2022-05-24

▶

GHSA

Non-constant time HMAC comparison↗2022-05-24

▶

CVEList

CVE-2020-2102: Jenkins 2↗2020-01-29

▶

Jenkins

Jenkins Security Advisory 2020-01-29↗2020-01-29

▶

Red Hat

jenkins: Non-constant time HMAC comparison↗2020-01-29

▶

Bugzilla

CVE-2020-2102 jenkins: Non-constant time HMAC comparison [fedora-all]↗2020-01-31

▶

Bugzilla

CVE-2020-2102 jenkins: Non-constant time HMAC comparison↗2020-01-31

▶