CVE-2022-36885

Summary

Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.

Affected Software

VendorProductVersion RangeStatus
Jenkins projectJenkins GitHub Pluginunspecified <= 1.34.4affected
Jenkins projectJenkins GitHub Plugin1.34.3.1unaffected
Jenkins projectJenkins GitHub Plugin1.34.1.1unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References