Skip to content

Non-constant time nonce comparison in Jenkins Microsoft Entra ID (previously Azure AD) Plugin

High severity GitHub Reviewed Published Sep 6, 2023 to the GitHub Advisory Database • Updated Jan 30, 2024

Package

maven org.jenkins-ci.plugins:azure-ad (Maven)

Affected versions

>= 378.380.v545b, <= 396.v86ce29279947
< 378.vd6e2874a

Patched versions

397.v907382dd9b
378.vd6e2874a

Description

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.

References

Published by the National Vulnerability Database Sep 6, 2023
Published to the GitHub Advisory Database Sep 6, 2023
Reviewed Jan 30, 2024
Last updated Jan 30, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2023-41935

GHSA ID

GHSA-hj7p-h74j-6gxj

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.