Generic Webhook Trigger Plugin 1.84.1 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

Generic Webhook Trigger Plugin 1.84.2 uses a constant-time comparison when validating the webhook token.

Affected Packages

Maven org.jenkins-ci.plugins:generic-webhook-trigger

Affected versions: 0 (fixed in 1.84.2)

Related CVEs

CVE-2022-43412

Key Information

GHSA ID

GHSA-2jxx-2x93-2q2f

Published

October 19, 2022 7:00 PM

Last Modified

December 16, 2022 5:24 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:generic-webhook-trigger

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.