Description
Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.
Remediation
References
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
https://access.redhat.com/errata/RHSA-2016:0711
http://rhn.redhat.com/errata/RHSA-2016-1773.html
Related Vulnerabilities
CVE-2016-10735 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap
CVE-2010-2076 Vulnerability in maven package org.apache.cxf:cxf-common-utilities
CVE-2023-29008 Vulnerability in npm package @sveltejs/kit
CVE-2022-31069 Vulnerability in npm package @finastra/nestjs-proxy
CVE-2018-1002204 Vulnerability in maven package org.webjars:adm-zip