CVE-2022-36885
First published: Wed Jul 27 2022(Updated: )
Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:4.10.1675144701-1.el8 | 2-plugins-0:4.10.1675144701-1.el8 |
| redhat/jenkins | <2-plugins-0:4.8.1672842762-1.el8 | 2-plugins-0:4.8.1672842762-1.el8 |
| redhat/jenkins | <2-plugins-0:4.9.1675668922-1.el8 | 2-plugins-0:4.9.1675668922-1.el8 |
| Jenkins Github | <=1.34.4 | |
| <=1.34.4 | ||
| maven/com.coravy.hudson.plugins.github:github | <=1.34.4 | 1.34.5 |
| redhat/github | <1.34.5 | 1.34.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-36885
- https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849
- http://www.openwall.com/lists/oss-security/2022/07/27/1
- https://github.com/jenkinsci/github-plugin/releases/tag/v1.34.5
- https://plugins.jenkins.io/github-issues/
- https://github.com/jenkinsci/github-plugin/commit/11d1d79ebf85248dc43432389746c1ecc3452b6a
- https://github.com/advisories/GHSA-mxcc-7h5m-x57r (Advisory)
- https://access.redhat.com/errata/RHSA-2023:0017
- https://access.redhat.com/security/cve/cve-2022-36885
- https://access.redhat.com/errata/RHSA-2023:0560
- https://access.redhat.com/errata/RHSA-2023:0777
- https://bugzilla.redhat.com/show_bug.cgi?id=2119658
- https://www.cve.org/CVERecord?id=CVE-2022-36885 https://nvd.nist.gov/vuln/detail/CVE-2022-36885 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-1849
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for Jenkins GitHub Plugin vulnerability?
The vulnerability ID for Jenkins GitHub Plugin vulnerability is CVE-2022-36885.
What is the severity of CVE-2022-36885?
The severity of CVE-2022-36885 is medium, with a CVSS score of 5.3.
How does Jenkins GitHub Plugin 1.34.4 and earlier handle webhook signatures?
Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking webhook signatures.
What is the impact of the vulnerability in Jenkins GitHub Plugin 1.34.4 and earlier?
The vulnerability allows attackers to use statistical methods to obtain a valid webhook signature.
How can I mitigate the vulnerability in Jenkins GitHub Plugin?
To mitigate the vulnerability, update to Jenkins GitHub Plugin version 1.34.5 or later.
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-mxcc-7h5m-x57r
- alias/CVE-2022-36885
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/softwarecombine
- agent/author
- agent/severity
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/github-advisory
- source/GitHub
- collector/nvd-cve
- source/NVD
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- agent/trending
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins github
- version/jenkins github/1.34.4
- package-manager/maven