[MAVEN:GHSA-885R-HHPR-CC9P] Jenkins Gogs Plugin uses non-constant time webhook token comparison
Severity
Low
Affected Packages
1
CVEs
1
Jenkins Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.
This could potentially allow attackers to use statistical methods to obtain a valid webhook token.
As of publication of this advisory, there is no fix.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/gogs-webhook | <= 1.0.15 |
- ID
- MAVEN:GHSA-885R-HHPR-CC9P
- Severity
- low
- URL
- https://github.com/advisories/GHSA-885r-hhpr-cc9p
- Published
-
2023-10-25T18:32:25
(10 months ago) - Modified
-
2023-11-11T05:04:54
(10 months ago) - Rights
- Maven Security Team
- Other Advisories
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/gogs-webhook | org.jenkins-ci.plugins | gogs-webhook | <= 1.0.15 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |