Non-Constant Time Comparison Vulnerability in Jenkins GitLab Branch Source Plugin by Jenkins
CVE-2024-23903

5.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Gitlab Branch Source Plugin
Vendor: CVE Published:; 24 January 2024

Summary

The Jenkins GitLab Branch Source Plugin versions 684.vea_fa_7c1e2fe3 and earlier are susceptible to a critical design flaw involving a non-constant time comparison when verifying webhook tokens. This improper validation method could potentially enable malicious actors to leverage statistical techniques to discern the valid token, ultimately compromising the integrity of the webhook communications and posing a significant security risk. It is vital for users of the affected versions to implement the necessary updates to mitigate this vulnerability.

Affected Version(s)

Jenkins GitLab Branch Source Plugin 0 <= 684.vea_fa_7c1e2fe3

References

https://www.jenkins.io/security/advisory/2024-01-24/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/01/24/6

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 24, 2024
Vulnerability Reserved
Jan 23, 2024