First published: Wed Oct 25 2023(Updated: )
Jenkins Gogs Plugin 1.0.15 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal. This could potentially allow attackers to use statistical methods to obtain a valid webhook token. As of publication of this advisory, there is no fix.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Gogs | <=1.0.15 | |
maven/org.jenkins-ci.plugins:gogs-webhook | <=1.0.15 | |
<=1.0.15 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this Jenkins Gogs Plugin vulnerability is CVE-2023-46657.
The severity of CVE-2023-46657 is medium with a severity value of 5.3.
Jenkins Gogs Plugin version 1.0.15 and earlier are affected by CVE-2023-46657.
An attacker can potentially exploit CVE-2023-46657 by using statistical methods to obtain a valid webhook token.
Yes, the references for CVE-2023-46657 are: http://www.openwall.com/lists/oss-security/2023/10/25/2, https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2896, and https://nvd.nist.gov/vuln/detail/CVE-2023-46657.