Non-constant Time Comparison Flaw in Jenkins Azure AD Plugin
CVE-2023-41935

7.5HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Azure Ad Plugin
Vendor: CVE Published:; 6 September 2023

Summary

The Jenkins Azure AD Plugin, up to version 396.v86ce29279947, is susceptible to a non-constant time comparison issue. This vulnerability arises during the validation of CSRF protection nonces, which can be exploited by attackers employing statistical techniques to deduce a valid nonce from the application. The presence of this flaw underscores the necessity for developers to implement constant-time algorithms for security-critical operations to mitigate potential attacks.

Affected Version(s)

Jenkins Azure AD Plugin 397.v907382dd9b_98

Jenkins Azure AD Plugin 378.380.v545b_1154b_3fb_ < 378.*

References

https://www.jenkins.io/security/advisory/2023-09-06/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/06/9

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 6, 2023
Vulnerability Reserved
Sep 5, 2023