CVE-2023-41935
published 2023-09-06CVE-2023-41935: Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the…
high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | assembla_auth_plugin | — | — |
| jenkins | aws_codecommit_trigger_plugin | — | — |
| jenkins | azure_ad | <= 348.vefd011eea_20b | — |
| jenkins | azure_ad | 378.vd6e2874a_69eb – 396.v86ce29279947 | — |
| jenkins | bitbucket_push_and_pull_request_plugin | — | — |
| jenkins | config_file_provider_plugin | — | — |
| jenkins | disabled_permissions_can_be_granted_by_ssh2_easy_plugin | — | — |
| jenkins | disabled_permissions_granted_by_assembla_auth_plugin | — | — |
| jenkins | frugal_testing_plugin | — | — |
| jenkins | google_login_plugin | — | — |
| jenkins | ivy_plugin | — | — |
| jenkins | job_configuration_history_plugin | — | — |
| jenkins | non-constant_time_token_comparison_in_google_login_plugin | — | — |
| jenkins | pipeline_maven_integration_plugin | — | — |
| jenkins | qualys_container_scanning_connector_plugin | — | — |
| jenkins | ssh2_easy_plugin | — | — |
| jenkins | tap_plugin | — | — |