CVE-2023-41936
published 2023-09-06CVE-2023-41936: Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal…
high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison function when checking whether the provided and expected token are equal, potentially allowing attackers to use statistical methods to obtain a valid token.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | assembla_auth_plugin | — | — |
| jenkins | aws_codecommit_trigger_plugin | — | — |
| jenkins | bitbucket_push_and_pull_request_plugin | — | — |
| jenkins | config_file_provider_plugin | — | — |
| jenkins | disabled_permissions_can_be_granted_by_ssh2_easy_plugin | — | — |
| jenkins | disabled_permissions_granted_by_assembla_auth_plugin | — | — |
| jenkins | frugal_testing_plugin | — | — |
| jenkins | google_login | <= 1.7 | — |
| jenkins | google_login_plugin | — | — |
| jenkins | ivy_plugin | — | — |
| jenkins | job_configuration_history_plugin | — | — |
| jenkins | non-constant_time_token_comparison_in_google_login_plugin | — | — |
| jenkins | pipeline_maven_integration_plugin | — | — |
| jenkins | qualys_container_scanning_connector_plugin | — | — |
| jenkins | ssh2_easy_plugin | — | — |
| jenkins | tap_plugin | — | — |
| jenkins_project | jenkins_google_login_plugin | <= 1.7 | — |