Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-fj6f-6933-839j

GitHub Security Advisory

Non-constant time HMAC comparison

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison when checking whether two HMACs are equal. This could potentially allow attackers to use statistical methods to obtain a valid HMAC for an attacker-controlled input value.

Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison when validating HMACs.

Affected Packages

Maven org.jenkins-ci.main:jenkins-core
Affected versions: 0 (fixed in 2.204.2)
Maven org.jenkins-ci.main:jenkins-core
Affected versions: 2.205 (fixed in 2.219)

Related CVEs

CVE-2020-2102

Key Information

GHSA ID
GHSA-fj6f-6933-839j
Published
May 24, 2022 5:07 PM
Last Modified
December 19, 2022 9:06 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.jenkins-ci.main:jenkins-core
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.