CVE-2023-46657
Description
Jenkins Gogs Plugin uses a non-constant time token comparison, enabling attackers to statistically derive valid webhook tokens.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Gogs Plugin uses a non-constant time token comparison, enabling attackers to statistically derive valid webhook tokens.
Root
Cause Jenkins Gogs Plugin versions 1.0.15 and earlier employ a non-constant time comparison function when verifying whether a provided webhook token matches the expected token [1][2]. This means the comparison time varies based on the correctness of the input, leaking information about the secret token.
Exploitation
An attacker can send a series of requests with different token candidates and measure the response time to infer the correct token character by character [1]. No authentication is required to trigger the webhook endpoint, making it externally accessible over the network.
Impact
By obtaining a valid webhook token, an attacker can authenticate to the Jenkins instance as the plugin and trigger builds or other configured actions, potentially leading to unauthorized code execution or information disclosure [1].
Mitigation
As of the advisory publication date (October 25, 2023), no fixed version is available for the Gogs Plugin [3]. Users are advised to limit access to the Jenkins instance or disable the plugin if not essential [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:gogs-webhookMaven | <= 1.0.15 | — |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-885r-hhpr-cc9pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46657ghsaADVISORY
- www.jenkins.io/security/advisory/2023-10-25/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/10/25/2ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-10-25Jenkins Security Advisories · Oct 25, 2023