{"url":"http://public2.vulnerablecode.io/api/packages/67497?format=json","purl":"pkg:maven/io.jenkins.plugins/teams-webhook-trigger@0.1.1","type":"maven","namespace":"io.jenkins.plugins","name":"teams-webhook-trigger","version":"0.1.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46283?format=json","vulnerability_id":"VCID-5u5e-1xr4-p3d1","summary":"Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison\nJenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.","references":[{"reference_url":"https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2876","reference_id":"","reference_type":"","scores":[],"url":"https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-2876"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/10/25/2","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2023/10/25/2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46658","reference_id":"CVE-2023-46658","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46658"},{"reference_url":"https://github.com/advisories/GHSA-2xpq-5952-38w3","reference_id":"GHSA-2xpq-5952-38w3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2xpq-5952-38w3"}],"fixed_packages":[],"aliases":["CVE-2023-46658","GHSA-2xpq-5952-38w3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5u5e-1xr4-p3d1"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/io.jenkins.plugins/teams-webhook-trigger@0.1.1"}