Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13N2pyLXdxdzYtNTR4Y84AAjcJ
Non-constant time comparison of inbound TCP agent connection secret
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret.
Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.
Permalink: https://github.com/advisories/GHSA-w7jr-wqw6-54xcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13N2pyLXdxdzYtNTR4Y84AAjcJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-w7jr-wqw6-54xc, CVE-2020-2101
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2101
- https://access.redhat.com/errata/RHBA-2020:0402
- https://access.redhat.com/errata/RHBA-2020:0675
- https://access.redhat.com/errata/RHSA-2020:0681
- https://access.redhat.com/errata/RHSA-2020:0683
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1659
- http://www.openwall.com/lists/oss-security/2020/01/29/1
- https://github.com/jenkinsci/jenkins/commit/0ba36508187ff771bba87feaf03057496775064c
- https://github.com/advisories/GHSA-w7jr-wqw6-54xc
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.205, <= 2.218, <= 2.204.1Fixed in: 2.219, 2.204.2