Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58734

DefaultCrumbIssuer should use more secure hashing algorithm

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None
    • 2.190

      The default crumb issuer for Jenkins uses an MD5 hash of some state data to create a crumb for users. This may be hypothetically vulnerable to brute forcing of MD5 hashes to form a valid crumb if the crumb's state is predictable to some level of detail (unsure on the specifics, hence why it's just hypothetical). This is most predictable when the administrator excludes remote IP address and session ID information from being used to seed the crumb, so it's a somewhat contrived scenario potentially. This can be hardened by simply updating the message digest algorithm chosen. Since all JDKs must support SHA-256 as well, this seems like a reasonable update.

            jvz Matt Sicker
            jvz Matt Sicker
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: