CVE-2024-23903
published 2024-01-24CVE-2024-23903: Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and…
medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitlab | gitlab | — | — |
| jenkins | git_server_plugin | — | — |
| jenkins | github_branch_source | <= 684.vea_fa_7c1e2fe3 | — |
| jenkins | gitlab_branch_source_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_uses_the_strict_crumb_issuer_plugin | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | log_command_plugin | — | — |
| jenkins | matrix_project_plugin | — | — |
| jenkins | qualys_policy_compliance_scanning_connector_plugin | — | — |
| jenkins | red_hat_dependency_analytics_plugin | — | — |
| jenkins_project | jenkins_gitlab_branch_source_plugin | <= 684.vea_fa_7c1e2fe3 | — |