Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature. GitHub Plugin 1.34.5 uses a constant-time comparison when validating the webhook signature.

Affected Packages

Maven com.coravy.hudson.plugins.github:github

Affected versions: 0 (fixed in 1.34.5)

Related CVEs

CVE-2022-36885

Key Information

GHSA ID

GHSA-mxcc-7h5m-x57r

Published

July 28, 2022 12:00 AM

Last Modified

January 5, 2024 1:44 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

com.coravy.hudson.plugins.github:github

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.