CVE-2020-2101 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=0 <2.204.2 || >=2.205 <2.219

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02369 pctl0.84365

Details

Non-constant time comparison of inbound TCP agent connection secret Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret. Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.

Metadata

Created: 2022-05-24T17:07:40Z
Modified: 2022-12-19T21:06:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w7jr-wqw6-54xc/GHSA-w7jr-wqw6-54xc.json
CWE IDs: ["CWE-203", "CWE-208"]
Alternative ID: GHSA-w7jr-wqw6-54xc
Finding: F047
Auto approve: 1