1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2871

[JENKINS:SECURITY-2871] Non-constant time webhook token comparison in `gitlab-branch-source`

Severity Low
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

gitlab-branch-source 684.vea_fa_7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

gitlab-branch-source 688.v5fa_356ee8520 uses a constant-time comparison function when validating the webhook token.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/gitlab-branch-source <= 684.vea_fa_7c1e2fe3
pkg:github/jenkinsci/gitlab-branch-source-plugin <= 684.vea_fa_7c1e2fe3
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/gitlab-branch-source = 688.v5fa_356ee8520
pkg:github/jenkinsci/gitlab-branch-source-plugin = 688.v5fa_356ee8520
ID
JENKINS:SECURITY-2871
Severity
low
Published
2024-01-24T00:00:00
(7 months ago)
Modified
2024-01-24T00:00:00
(7 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository gitlab-branch-source repository https://github.com/jenkinsci/gitlab-branch-source-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/gitlab-branch-source org.jenkins-ci.plugins gitlab-branch-source <= 684.vea_fa_7c1e2fe3
Fixed pkg:maven/org.jenkins-ci.plugins/gitlab-branch-source org.jenkins-ci.plugins gitlab-branch-source = 688.v5fa_356ee8520
Affected pkg:github/jenkinsci/gitlab-branch-source-plugin jenkinsci gitlab-branch-source-plugin <= 684.vea_fa_7c1e2fe3
Fixed pkg:github/jenkinsci/gitlab-branch-source-plugin jenkinsci gitlab-branch-source-plugin = 688.v5fa_356ee8520
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date