CVE-2022-43412

CWE-203 CWE-2085 documents5 sources

Severity

5.3MEDIUM

EPSS

0.2%

top 55.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Generic Webhook Trigger Jenkins Project Jenkins Generic Webhook Trigger Plugin

Timeline

PublishedOct 19

Description

Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:generic-webhook-trigger< 1.84.2

▶CVEListV5jenkins_project/jenkins_generic_webhook_trigger_pluginunspecified — 1.84.1

▶NVDjenkins/generic_webhook_trigger< 1.84.2

🔴Vulnerability Details

CVEList

CVE-2022-43412: Jenkins Generic Webhook Trigger Plugin 1↗2022-10-19

▶

OSV

Non-constant time webhook token comparison in Jenkins Generic Webhook Trigger Plugin↗2022-10-19

▶

GHSA

Non-constant time webhook token comparison in Jenkins Generic Webhook Trigger Plugin↗2022-10-19

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-10-19↗2022-10-19

▶