Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-2xpq-5952-38w3: Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison

Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

ghsa
#web#git

Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison

Low severity GitHub Reviewed Published Oct 25, 2023 to the GitHub Advisory Database • Updated Oct 30, 2023

Related news

CVE-2023-46650: security - Multiple vulnerabilities in Jenkins plugins

Jenkins GitHub Plugin 1.37.3 and earlier does not escape the GitHub project URL on the build page when showing changes, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.