CVE-2022-36885 — Observable Discrepancy in Project Jenkins Github Plugin

CWE-203 — Observable Discrepancy CWE-208 — Observable Timing Discrepancy6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 43.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Github Plugin Jenkins Github

Timeline

PublishedJul 27

Latest updateJul 28

Description

Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_github_pluginunspecified — 1.34.4

▶NVDjenkins/github1.34.4

🔴Vulnerability Details

OSV

Jenkins GitHub plugin uses weak webhook signature function↗2022-07-28

▶

GHSA

Jenkins GitHub plugin uses weak webhook signature function↗2022-07-28

▶

CVEList

CVE-2022-36885: Jenkins GitHub Plugin 1↗2022-07-27

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-07-27↗2022-07-27

▶

Red Hat

plugin: Non-constant time webhook signature comparison in GitHub Plugin↗2022-07-27

▶