CVE-2022-43411
published 2022-10-19CVE-2022-43411: Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal…
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.66%
46.7th percentile
Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlab | gitlab | — | — |
| jenkins | bmc_ami_devx_code_debug_code_coverage_plugin | — | — |
| jenkins | bmc_ami_devx_total_test_plugin | — | — |
| jenkins | bmc_ami_strobe_measurement_task_plugin | — | — |
| jenkins | code_pipeline_plugin | — | — |
| jenkins | compuware_topaz_utilities_plugin | — | — |
| jenkins | contrast_continuous_application_security_plugin | — | — |
| jenkins | credentials_plugin | — | — |
| jenkins | custom_checkbox_parameter_plugin | — | — |
| jenkins | cve-2022-43401_in_script_security_plugin | — | — |
| jenkins | declarative_plugin | — | — |
| jenkins | deprecated_groovy_libraries_plugin | — | — |
| jenkins | fireline_plugin | — | — |
| jenkins | generic_webhook_trigger_plugin | — | — |
| jenkins | gitlab | < 1.5.36 | 1.5.36 |
| jenkins | gitlab_plugin | — | — |
| jenkins | groovy_libraries_plugin | — | — |
| jenkins | groovy_plugin | — | — |
| jenkins | input_step_plugin | — | — |
| jenkins | job_import_plugin | — | — |
| jenkins | job_plugin | — | — |
| jenkins | katalon_plugin | — | — |
| jenkins | mercurial_plugin | — | — |
| jenkins | nunit_plugin | — | — |
| jenkins | repo_plugin | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Non-constant time webhook token comparison in Jenkins GitLab Plugin
osv·2022-10-19
CVE-2022-43411 [LOW] Non-constant time webhook token comparison in Jenkins GitLab Plugin
Non-constant time webhook token comparison in Jenkins GitLab Plugin
GitLab Plugin 1.5.35 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
GitLab Plugin 1.5.36 uses a constant-time comparison when validating the webhook token.
GHSA
Non-constant time webhook token comparison in Jenkins GitLab Plugin
ghsa·2022-10-19
CVE-2022-43411 [LOW] CWE-203 Non-constant time webhook token comparison in Jenkins GitLab Plugin
Non-constant time webhook token comparison in Jenkins GitLab Plugin
GitLab Plugin 1.5.35 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
GitLab Plugin 1.5.36 uses a constant-time comparison when validating the webhook token.
GitLab
CVE-2022-43411: Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token ar
vendor_gitlab·2022-10-19·CVSS 5.3
CVE-2022-43411 [MEDIUM] CWE-203 CVE-2022-43411: Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token ar
CVE-2022-43411: Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
Jenkins
Jenkins Security Advisory 2022-10-19
vendor_jenkins·2022-10-19·CVSS 9.9
CVE-2017-2601 [CRITICAL] Jenkins Security Advisory 2022-10-19
Title: Jenkins Security Advisory 2022-10-19
Jenkins Security Advisory 2022-10-19
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
BMC AMI DevX Code Debug Code Coverage
Plugin
BMC AMI DevX Source Code Download for Endevor, PDS, and Code Pipeline
Plugin
BMC AMI DevX Total Test
Plugin
BMC AMI Strobe Measurem
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-10-19
Published