Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-f67f-2j6r-m4c9

GitHub Security Advisory

Non-constant time webhook token comparison in Jenkins GitLab Branch Source Plugin

✓ GitHub Reviewed LOW Has CVE
View on GitHub

Advisory Details

Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the provided and expected webhook token are equal.

This could potentially allow attackers to use statistical methods to obtain a valid webhook token.

GitLab Branch Source Plugin 688.v5fa_356ee8520 uses a constant-time comparison function when validating the webhook token.

Affected Packages

Maven io.jenkins.plugins:gitlab-branch-source
Affected versions: 0 (fixed in 688.v5fa)

Related CVEs

CVE-2024-23903

Key Information

GHSA ID
GHSA-f67f-2j6r-m4c9
Published
January 24, 2024 6:31 PM
Last Modified
January 31, 2024 8:24 PM
CVSS Score
2.5 /10
Primary Ecosystem
Maven
Primary Package
io.jenkins.plugins:gitlab-branch-source
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.