Jenkins 2.218 and earlier, LTS 2.204.1 and earlier does not use a constant-time comparison validating the connection secret when an inbound TCP agent connection is initiated. This could potentially allow attackers to use statistical methods to obtain the connection secret.
Jenkins 2.219, LTS 2.204.2 now uses a constant-time comparison function for verifying connection secrets.
References
- https://nvd.nist.gov/vuln/detail/CVE-2020-2101
- https://access.redhat.com/errata/RHBA-2020:0402
- https://access.redhat.com/errata/RHBA-2020:0675
- https://access.redhat.com/errata/RHSA-2020:0681
- https://access.redhat.com/errata/RHSA-2020:0683
- https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1659
- http://www.openwall.com/lists/oss-security/2020/01/29/1
- https://github.com/advisories/GHSA-w7jr-wqw6-54xc