CVE-2023-41935

Incorrect Comparison in maven/org.jenkins-ci.plugins/azure-ad

Identifiers

GHSA-hj7p-h74j-6gxj, CVE-2023-41935

Package Slug

maven/org.jenkins-ci.plugins/azure-ad

Vulnerability

Incorrect Comparison

Description

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.

Affected Versions

All versions before 378.vd6e2874a, all versions starting from 378.380.v545b up to 396.v86ce29279947

Solution

Upgrade to versions 378.vd6e2874a, 397.v907382dd9b or above.

Last Modified

2024-01-31

source