Описание
Non-constant time webhook token hash comparison in Jenkins Zanata Plugin
Jenkins Zanata Plugin 0.6 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token hashes are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
As of publication of this advisory, there is no fix.
Пакеты
Наименование
org.jenkins-ci.plugins:zanata
maven
Затронутые версииВерсия исправления
<= 0.6
Отсутствует
Связанные уязвимости
CVSS3: 5.3
nvd
больше 2 лет назад
Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.