Описание
Non-constant time webhook token comparison in Jenkins GitLab Plugin
GitLab Plugin 1.5.35 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
GitLab Plugin 1.5.36 uses a constant-time comparison when validating the webhook token.
Пакеты
Наименование
org.jenkins-ci.plugins:gitlab-plugin
maven
Затронутые версииВерсия исправления
<= 1.5.35
1.5.36
Связанные уязвимости
CVSS3: 5.3
nvd
больше 3 лет назад
Jenkins GitLab Plugin 1.5.35 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.