Low severityNVD Advisory· Published Jul 27, 2022· Updated Aug 3, 2024

CVE-2022-36885

Description

Jenkins GitHub Plugin 1.34.4 and earlier uses a non-constant time comparison function when checking whether the provided and computed webhook signatures are equal, allowing attackers to use statistical methods to obtain a valid webhook signature.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.coravy.hudson.plugins.github:githubMaven	< 1.34.5	1.34.5

Affected products

ghsa-coords
pkg:maven/com.coravy.hudson.plugins.github/github
Range: < 1.34.5
Jenkins Project/Github Plugincpe-rescue
Range: unspecified

Patches

Vulnerability mechanics

References

github.com/advisories/GHSA-mxcc-7h5m-x57rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-36885ghsaADVISORY
www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/github-plugin/commit/11d1d79ebf85248dc43432389746c1ecc3452b6aghsaWEB
github.com/jenkinsci/github-plugin/releases/tag/v1.34.5ghsaWEB
plugins.jenkins.io/github-issuesghsaWEB
www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000