VYPR
← All advisories
Low severityNVD Advisory· Published Jan 12, 2022· Updated Aug 3, 2024

CVE-2022-23106

CVE-2022-23106

Description

Jenkins Configuration as Code Plugin 1.55 and earlier used a non-constant time comparison function when validating an authentication token allowing attackers to use statistical methods to obtain a valid authentication token.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Configuration as Code Plugin 1.55 and earlier uses a non-constant time comparison for authentication token validation, enabling attackers to statistically determine a valid token.

Vulnerability

Jenkins Configuration as Code Plugin version 1.55 and earlier uses a non-constant time comparison function when validating an authentication token [1][4]. This means the comparison time may vary based on the correctness of characters, enabling a timing side-channel attack. The vulnerability affects all instances using the plugin for authentication token validation.

Exploitation

An attacker with network access to the Jenkins instance can send multiple token validation requests while measuring response times. By statistically analyzing the timing variations, the attacker can deduce a valid authentication token character by character. No prior authentication or special privileges are required, only network reachability to the Jenkins endpoint that validates the token.

Impact

Successful exploitation allows the attacker to obtain a valid authentication token, which can be used to authenticate to the Jenkins Configuration as Code API. This could lead to unauthorized access to Jenkins configuration, potentially allowing information disclosure or modification of Jenkins settings [1].

Mitigation

The vulnerability is fixed in Jenkins Configuration as Code Plugin version 1.55.1, released on 2022-01-12 [2]. Users should upgrade to this version immediately. No workarounds are available. The plugin is actively maintained, and no EOL status is indicated.

References
  1. Jenkins Security Advisory 2022-01-12
  2. security - Multiple vulnerabilities in Jenkins and Jenkins plugins
  3. NVD - CVE-2022-23106

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.jenkins:configuration-as-codeMaven
>= 1.55, < 1.55.11.55.1
io.jenkins:configuration-as-codeMaven
>= 1.54, < 1.54.11.54.1
io.jenkins:configuration-as-codeMaven
>= 1.48, < 1.53.11.53.1
io.jenkins:configuration-as-codeMaven
< 1.47.11.47.1

Affected products

2

Patches

1
4f425675edf7

[SECURITY-2141]

https://github.com/jenkinsci/configuration-as-code-pluginYaroslav AfenkinDec 16, 2021via ghsa
commit
1 file changed · +4 1
  • plugin/src/main/java/io/jenkins/plugins/casc/TokenReloadAction.java+4 1 modified
    @@ -6,6 +6,8 @@
 import hudson.security.ACL;
 import hudson.security.ACLContext;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.logging.Logger;
 import javax.servlet.http.HttpServletRequest;
 import org.kohsuke.stapler.StaplerRequest;
@@ -48,7 +50,8 @@ public void doIndex(StaplerRequest request, StaplerResponse response) throws IOE
         } else {
             String requestToken = getRequestToken(request);
 
-            if (token.equals(requestToken)) {
+            if (requestToken != null && MessageDigest.isEqual(token.getBytes(StandardCharsets.UTF_8), requestToken.getBytes(
+                StandardCharsets.UTF_8))) {
                 LOGGER.info("Configuration reload triggered via token");
 
                 try (ACLContext ignored = ACL.as(ACL.SYSTEM)) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

1