Описание
Non-constant time comparison of inbound TCP agent connection secret
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret.
Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-2101
- https://github.com/jenkinsci/jenkins/commit/0ba36508187ff771bba87feaf03057496775064c
- https://access.redhat.com/errata/RHBA-2020:0402
- https://access.redhat.com/errata/RHBA-2020:0675
- https://access.redhat.com/errata/RHSA-2020:0681
- https://access.redhat.com/errata/RHSA-2020:0683
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1659
- http://www.openwall.com/lists/oss-security/2020/01/29/1
Пакеты
org.jenkins-ci.main:jenkins-core
<= 2.204.1
2.204.2
org.jenkins-ci.main:jenkins-core
>= 2.205, <= 2.218
2.219
Связанные уязвимости
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time comparison function for validating connection secrets, which could potentially allow an attacker to use a timing attack to obtain this secret.
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a const ...