We have been using the Multibranch scan webhook trigger plugin for almost 2 years and it has always worked perfectly.
However, last week the following security vulnerability was published: Jenkins Security Advisory 2023-10-25.
The description says: “Multibranch Scan Webhook Trigger Plugin 1.0.9 and earlier does not use a constant-time comparison when checking whether the provided and expected webhook token are equal.”.
To be honest I do not really understand what it means since the tokens used by the plugins are fixed, the only thing that is missing is the standard webhook secret management via the X-Hub-Signature header.
I checked the repo and it looks like the plugin has not been updated in more than 2 years.
Is there an alternative for this plugin? If not who should I contact to understand exactly what is missing so maybe I can add to the plugin myself… providing the maintainer accepts PRs?.
The risk to you is low.
Example: Statistically an attacker can use different strings against the plugin and time how long it takes for the plugin to respond. This would enable an attacker to get information like how long your password is without knowing its contents. But by knowing its length the secret is weaker to brute force.
The disclosure simply makes you aware it is an issue so you can evaluate whether or not you care it is an issue. So evaluate whether or not that matters to you.
There is no fix in the plugin currently. If someone were to create a fix it would be for the plugin to purposefully delay during string comparisons in order to make the response time the same regardless of the length of the secret. There are fixed-time comparisons in many libraries available.
If you are using the multibranch pipeline with GitHub then you can simply configure the GitHub plugin with a GitHub app. Jenkins will automatically process webhook events from app even if you’re only using multibranch pipelines. You can configure the webhook setting with a password so it validates payloads.
Thanks a lot for your reply, Sam. I understand what is the problem now and I think I have found the incriminated check in the plugin code. I will try to open a PR but I am not sure it will get merged.
Welcome back, @Giovanni.
That’s the way to go! The plugin needs a refresh too.
I will try to update it, and if my PR gets merged, you could then propose yours.
Thanks, I always try to help if I am able to. To be honest I have opened my PR yesterday: fix security-2875: time constant token comparison using messagedigest… by gdisanto · Pull Request #15 · jenkinsci/multibranch-scan-webhook-trigger-plugin · GitHub.
However, I have noticed some other PRs that have been open for a while so I suppose the repo maintainer is busy with some other projects. I do not know what is the way to go in this case.
The plugin has not been updated for 2 years, so yes it needs a refresh. I am available to help if needed.
I know this plugin is not marked as abandoned, but it has a security flaw, and you have the fix.
I don’t know about the “etiquette”, but I wouldn’t be shocked if you asked to become a co-maintainer for this plugin.
Refreshing it and fixing the security flaw would make its “Plugin Health Score” much better…
I guess you are right, I’ll wait a couple of days and if I do not get any feedback for my PR I will try to contact the maintainer directly.
Please follow this procedure to become a co-maintainer for this project: Adopt a Plugin .
Your contribution will greatly benefit the Jenkins project.
Thanks a lot for your help @poddingue.