1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2141

[JENKINS:SECURITY-2141] Non-constant time token comparison in `configuration-as-code`

Severity Low
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

configuration-as-code 1.55 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

configuration-as-code 1.55.1 now uses a constant-time comparison when validating authentication tokens.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/configuration-as-code <= 1.55
pkg:github/jenkinsci/configuration-as-code-plugin <= 1.55
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/configuration-as-code = 1.55.1
pkg:github/jenkinsci/configuration-as-code-plugin = 1.55.1
ID
JENKINS:SECURITY-2141
Severity
low
Published
2022-01-12T00:00:00
(2 years ago)
Modified
2022-01-12T00:00:00
(2 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository configuration-as-code repository https://github.com/jenkinsci/configuration-as-code-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/configuration-as-code org.jenkins-ci.plugins configuration-as-code <= 1.55
Fixed pkg:maven/org.jenkins-ci.plugins/configuration-as-code org.jenkins-ci.plugins configuration-as-code = 1.55.1
Affected pkg:github/jenkinsci/configuration-as-code-plugin jenkinsci configuration-as-code-plugin <= 1.55
Fixed pkg:github/jenkinsci/configuration-as-code-plugin jenkinsci configuration-as-code-plugin = 1.55.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date