1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1849

[JENKINS:SECURITY-1849] Non-constant time webhook signature comparison in `github`

Severity Low
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

github 1.34.4 and earlier does not use a constant-time comparison when checking whether the provided and computed webhook signatures are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook signature.

github 1.34.5 uses a constant-time comparison when validating the webhook signature.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/github <= 1.34.4
pkg:github/jenkinsci/github-plugin <= 1.34.4
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/github = 1.34.5
pkg:github/jenkinsci/github-plugin = 1.34.5
ID
JENKINS:SECURITY-1849
Severity
low
Published
2022-07-27T00:00:00
(2 years ago)
Modified
2022-07-27T00:00:00
(2 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository github repository https://github.com/jenkinsci/github-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/github org.jenkins-ci.plugins github <= 1.34.4
Fixed pkg:maven/org.jenkins-ci.plugins/github org.jenkins-ci.plugins github = 1.34.5
Affected pkg:github/jenkinsci/github-plugin jenkinsci github-plugin <= 1.34.4
Fixed pkg:github/jenkinsci/github-plugin jenkinsci github-plugin = 1.34.5
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date