Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret.

Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.

Affected Packages

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 0 (fixed in 2.204.2)

Maven org.jenkins-ci.main:jenkins-core

Affected versions: 2.205 (fixed in 2.219)

Related CVEs

CVE-2020-2101

Key Information

GHSA ID

GHSA-w7jr-wqw6-54xc

Published

May 24, 2022 5:07 PM

Last Modified

December 19, 2022 9:06 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.main:jenkins-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.