Description
Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.
Remediation
References
http://www.openwall.com/lists/oss-security/2023/10/25/2
https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2879
Related Vulnerabilities
CVE-2023-40345 Vulnerability in maven package org.jenkins-ci.plugins:delphix
CVE-2019-19703 Vulnerability in maven package io.ktor:ktor-client-core
CVE-2023-30429 Vulnerability in maven package org.apache.pulsar:pulsar-broker-common
CVE-2021-32013 Vulnerability in npm package xlsx
CVE-2020-26945 Vulnerability in maven package org.mybatis:mybatis