CVE-2022-23106

CWE-203 CWE-362 — Race Condition CWE-2086 documents6 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 75.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Configuration AS Code Plugin Jenkins Configuration AS Code

Timeline

PublishedJan 12

Latest updateJan 21

Description

Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_configuration_as_code_pluginunspecified — 1.55

▶Mavenio.jenkins:configuration-as-code1.55 — 1.55.1+3

▶NVDjenkins/configuration_as_code1.55

🔴Vulnerability Details

OSV

Observable Discrepancy and Observable Timing Discrepancy in Jenkins Configuration as Code Plugin↗2022-01-21

▶

GHSA

Observable Discrepancy and Observable Timing Discrepancy in Jenkins Configuration as Code Plugin↗2022-01-21

▶

CVEList

CVE-2022-23106: Jenkins Configuration as Code Plugin 1↗2022-01-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-01-12↗2022-01-12

▶

Red Hat

jenkins-2-plugins/configuration-as-code: uses a non-constant time comparison function when validating an authentication token↗2022-01-12

▶