Fluid Attacks Database

Description

Non-constant time comparison of inbound TCP agent connection secret Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret.

Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.main:jenkins-core	>=0 <2.204.2 \|\| >=2.205 <2.219	2.204.2, 2.219

Aliases

1. CVE-2020-21012. NVD-2020-21013. OSV-2020-21014. GCVE-2020-21015. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com

References

1. https://github.com/jenkinsci/jenkins/commit/0ba36508187ff771bba87feaf03057496775064c2. https://jenkins.io/security/advisory/2020-01-29/#SECURITY-16593. http://www.openwall.com/lists/oss-security/2020/01/29/1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.