CVE-2023-41935

CWE-6975 documents5 sources
Severity
7.5HIGH
EPSS
0.1%
top 73.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jenkins Azure AD
Timeline
PublishedSep 6

Description

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Mavenorg.jenkins-ci.plugins:azure-ad378.380.v545b397.v907382dd9b+1
NVDjenkins/azure_ad378.vd6e2874a_69eb396.v86ce29279947+1

🔴Vulnerability Details

3
GHSA
Non-constant time nonce comparison in Jenkins Microsoft Entra ID (previously Azure AD) Plugin2023-09-06
CVEList
CVE-2023-41935: Jenkins Azure AD Plugin 3962023-09-06
OSV
Non-constant time nonce comparison in Jenkins Microsoft Entra ID (previously Azure AD) Plugin2023-09-06

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2023-09-062023-09-06
CVE-2023-41935 (HIGH CVSS 7.5) | Jenkins Azure AD Plugin 396.v86ce29 | cvebase.io