CVE-2022-23106

Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

Jenkins Configuration as Code Plugin prior to 1.55.1, 1.54.1, 1.53.1, and 1.47.1 does not use a constant-time comparison when checking whether two authentication tokens are equal. This could potentially allow attackers to use statistical methods to obtain a valid authentication token. Configuration as Code Plugin 1.55.1, 1.54.1, 1.53.1, and 1.47.1 now uses a constant-time comparison when validating authentication tokens.

Jenkins Configuration as Code Plugin prior to 1.55.1, 1.54.1, 1.53.1, and 1.47.1 does not use a constant-time comparison when checking whether two authentication tokens are equal. This could potentially allow attackers to use statistical methods to obtain a valid authentication token. Configuration as Code Plugin 1.55.1, 1.54.1, 1.53.1, and 1.47.1 now uses a constant-time comparison when validating authentication tokens.

El plugin Jenkins Configuration as Code versiones 1.55 y anteriores, usaban una función de comparación de tiempo no constante cuando comprobaban un token de autenticación, permitiendo a atacantes usar métodos estadísticos para obtener un token de autenticación válido