PT-2023-30147 · Jenkins · Jenkins Zanata Plugin+1

Yaroslav Afenkin

Publicado

2023-10-25

Atualizado

2023-11-01

CVE-2023-46660

CVSS v3.1

5.3

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Zanata Plugin versions 0.6 and earlier

Description The issue is related to the use of a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal. This potentially allows attackers to use statistical methods to obtain a valid webhook token.

Recommendations For Jenkins Zanata Plugin versions 0.6 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-697CWE-208

Identificadores relacionados

CVE-2023-46660

GHSA-86J9-25M2-9W97

Produtos afetados

Jenkins

Jenkins Zanata Plugin

PT-2023-30147 · Jenkins · Jenkins Zanata Plugin+1

CVE-2023-46660

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7