CVE-2023-46660

Vulnerability

Description

Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when verifying webhook token hashes [1]. This means the comparison does not take a fixed amount of time regardless of input, allowing an attacker to infer valid tokens through timing side-channel attacks [2].

Exploitation

An attacker can exploit this by sending multiple webhook requests and measuring response times. By statistically analyzing timing differences, the attacker can determine whether partial matches occur, eventually reconstructing the full valid token [1]. No authentication is required to trigger the webhook endpoint.

Impact

Successful exploitation allows an attacker to obtain a valid webhook token. With this token, the attacker can trigger Jenkins jobs or actions that rely on webhook authentication, potentially leading to unauthorized operations within the Jenkins environment [2].

Mitigation

The Zanata Plugin is listed as having unresolved security issues as of the advisory [1][3]. No fixed version is available. Users should consider disabling the plugin or implementing network-level controls to restrict access to the webhook endpoint.