Base Score

HIGH7.5

CVE-2023-41935

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateSep 06, 2023, 13:15

Affected Versions(2)

org.jenkins-ci.plugins:azure-ad(Maven)

Introduced378.380.v545b

Fixed397.v907382dd9b

LimitN/A

org.jenkins-ci.plugins:azure-ad(Maven)

Introduced0

Fixed378.vd6e2874a

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.plugins:azure-ad(Maven)	378.380.v545b	397.v907382dd9b	N/A
org.jenkins-ci.plugins:azure-ad(Maven)	0	378.vd6e2874a	N/A

Weakness Type (CWE):CWE-697

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

HIGH7.5

Weakness Type (CWE):CWE-697

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE