Fluid Attacks Database

Description

Non-constant time HMAC comparison Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison when checking whether two HMACs are equal. This could potentially allow attackers to use statistical methods to obtain a valid HMAC for an attacker-controlled input value.

Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison when validating HMACs.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.main:jenkins-core	>=0 <2.204.2 \|\| >=2.205 <2.219	2.204.2, 2.219

Aliases

1. CVE-2020-21022. NVD-2020-21023. OSV-2020-21024. GCVE-2020-21025. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com

References

1. https://github.com/jenkinsci/jenkins/commit/6f35dbb939ebe947bdb1979010b208480f1d0e312. https://jenkins.io/security/advisory/2020-01-29/#SECURITY-16603. http://www.openwall.com/lists/oss-security/2020/01/29/1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.