CVE-2023-41935

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-41935

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41935.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-41935

Aliases

GHSA-hj7p-h74j-6gxj

Published

2023-09-06T13:15:10.297Z

Modified

2026-04-10T05:01:21.984338Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.

References

Affected packages

Git / github.com/jenkinsci/azure-ad-plugin

Affected ranges

Type

GIT

Repo

https://github.com/jenkinsci/azure-ad-plugin

Events

Introduced

Last affected

efd011eea20b4d91c6381ca8f64ec8f72e7e35fb

Introduced

d6e2874a69eb30e9c0b2917f1193c1b3492a46ce

Last affected

86ce2927994787fccba21bf6896385e5ad1745cf

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "348.vefd011eea_20b"
        },
        {
            "introduced": "378.vd6e2874a_69eb"
        },
        {
            "last_affected": "396.v86ce29279947"
        }
    ]
}

Affected versions

146.*

146.vb688d1511c38

150.*

150.vb3db9f880321

152.*

152.v1609ed460604

153.*

153.v7af57b288088

154.*

154.v12e17a5f9ea3

155.*

155.v745ce80af7ea

157.*

157.v2d3d5782a602

158.*

158.v437429002c6b

164.*

164.v5b48baa961d2

165.*

165.v36344b7d7ca7

167.*

167.v34c2c5a3a030

168.*

168.ve6e7e368dbf6

170.*

170.v0a6219442a99

171.*

171.v9ef20c94d336

172.*

172.vf6a517c3329a

173.*

173.v0a210fffb510

174.*

174.vc2d906355813

175.*

175.v5513346d764a

177.*

177.v80b6c1591bf9

178.*

178.v7b93892fbe4c

179.*

179.vf6841393099e

180.*

180.v8b1e80e6f242

183.*

183.vf8c6fa4c6567

184.*

184.v44f04b65bdd5

185.*

185.v3b416408dcb1

188.*

188.v2369adb95a31

189.*

189.v2da14dccdb43

191.*

191.vfc8019068670

194.*

194.v70a6d5203ce4

195.*

195.v8555a0bf0d22

213.*

213.v5b_00db_295f49

218.*

218.v90f6a_980b_a_61

233.*

233.v934e074916c7

234.*

234.vb_ece34ecd5ff

241.*

241.vb_e5cd7c35b_2e

267.*

267.v5b_dfb_514d9fd

303.*

303.va_91ef20ee49f

306.*

306.va_7083923fd50

308.*

308.v10a_6e24f30b_4

313.*

313.v14b_f37ff114d

336.*

336.vd05b_01358644

340.*

340.vdef002cf6415

345.*

345.vdb_07735a_767d

348.*

348.vefd011eea_20b_

378.*

378.vd6e2874a_69eb_

385.*

385.v5d9f88612dd2

391.*

391.v252da_e1dd39c

392.*

392.v4e15d33fe85d

393.*

393.v03d1cfd50759

396.*

396.v86ce29279947

azure-ad-0.*

azure-ad-0.1.1

azure-ad-0.1.1-1

azure-ad-0.2.0

azure-ad-0.3.0

azure-ad-0.3.1

azure-ad-0.3.2

azure-ad-0.3.3

azure-ad-0.3.4

azure-ad-1.*

azure-ad-1.0.0

azure-ad-1.1.0

azure-ad-1.1.1

azure-ad-1.1.2

azure-ad-1.2.0

azure-ad-1.2.1

azure-ad-1.2.2

azure-ad-1.2.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41935.json"