CVE-2022-23106

Summary

Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

Affected Software

VendorProductVersion RangeStatus
Jenkins projectJenkins Configuration as Code Plugin1.47.1unaffected
Jenkins projectJenkins Configuration as Code Plugin1.53.1unaffected
Jenkins projectJenkins Configuration as Code Plugin1.54.1unaffected
Jenkins projectJenkins Configuration as Code Pluginunspecified <= 1.55affected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References