What is the severity of CVE-2023-41935?

The severity of CVE-2023-41935 is high with a CVSS score of 7.5.

What is the risk of using non-constant time comparison function in Jenkins Azure AD Plugin?

Using a non-constant time comparison function in Jenkins Azure AD Plugin can potentially allow attackers to use statistical methods to obtain a valid CSRF protection nonce.

How can I fix the vulnerability in Jenkins Azure AD Plugin?

To fix the vulnerability in Jenkins Azure AD Plugin, update to a version that is later than 396.v86ce29279947 or use a version between 378.380.v545b_1154b_3fb_ and 396.v86ce29279947.

Vulnerability/
CVE-2023-41935

high

7.5

CWE

697 352

6/9/2023

26/9/2024

CVE-2023-41935: CSRF

Q: Which versions of Jenkins Azure AD Plugin are affected by CVE-2023-41935?

Jenkins Azure AD Plugin versions 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, are affected by CVE-2023-41935.

First published: Wed Sep 06 2023(Updated: )

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.

Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com

Affected Software	Affected Version	How to fix
Jenkins Azure Ad	<=348.vefd011eea_20b
Jenkins Azure Ad	>=378.vd6e2874a_69eb<=396.v86ce29279947
maven/org.jenkins-ci.plugins:azure-ad	<378.vd6e2874a	378.vd6e2874a
maven/org.jenkins-ci.plugins:azure-ad	>=378.380.v545b<=396.v86ce29279947	397.v907382dd9b

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-41935?
The severity of CVE-2023-41935 is high with a CVSS score of 7.5.
How does Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, use a non-constant time comparison function?
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal.
What is the risk of using non-constant time comparison function in Jenkins Azure AD Plugin?
Using a non-constant time comparison function in Jenkins Azure AD Plugin can potentially allow attackers to use statistical methods to obtain a valid CSRF protection nonce.
Which versions of Jenkins Azure AD Plugin are affected by CVE-2023-41935?
Jenkins Azure AD Plugin versions 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, are affected by CVE-2023-41935.
How can I fix the vulnerability in Jenkins Azure AD Plugin?
To fix the vulnerability in Jenkins Azure AD Plugin, update to a version that is later than 396.v86ce29279947 or use a version between 378.380.v545b_1154b_3fb_ and 396.v86ce29279947.

collector/nvd-api
collector/nvd-index
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-hj7p-h74j-6gxj
alias/CVE-2023-41935
agent/software-canonical-lookup
agent/author
agent/severity
agent/references
agent/weakness
agent/description
collector/nvd-cve
source/NVD
agent/softwarecombine
agent/event
collector/github-advisory
agent/tags
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/trending
vendor/jenkins
canonical/jenkins azure ad
version/jenkins azure ad/348.vefd011eea_20b
version/jenkins azure ad/378.vd6e2874a_69eb
version/jenkins azure ad/396.v86ce29279947
package-manager/maven

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.