Non-Constant Time Comparison Vulnerability in Jenkins Gogs Plugin
CVE-2023-46657

5.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Gogs Plugin
Vendor: CVE Published:; 25 October 2023

Summary

The Jenkins Gogs Plugin versions 1.0.15 and earlier are susceptible to a vulnerability in which a non-constant time comparison function is used during the evaluation of webhook tokens. This flaw allows malicious actors to exploit statistical methods to derive a valid webhook token by analyzing the response time variations. If successfully exploited, it could compromise the integrity of the webhook mechanism, exposing Jenkins instances to unauthorized access and potential attacks.

Affected Version(s)

Jenkins Gogs Plugin 0 <= 1.0.15

References

https://www.jenkins.io/security/advisory/2023-10-25/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/10/25/2

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 25, 2023
Vulnerability Reserved
Oct 24, 2023