Описание
Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | jenkins-2-plugins | Affected |
Показывать по
10
Дополнительная информация
Статус:
Low
Дефект:
CWE-362
https://bugzilla.redhat.com/show_bug.cgi?id=2044462jenkins-2-plugins/configuration-as-code: uses a non-constant time comparison function when validating an authentication token
5.3 Medium
CVSS3
Связанные уязвимости
CVSS3: 5.3
nvd
около 4 лет назад
Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.
CVSS3: 3.7
github
около 4 лет назад
Observable Discrepancy and Observable Timing Discrepancy in Jenkins Configuration as Code Plugin
5.3 Medium
CVSS3