CVE-2023-41935

Name of the Vulnerable Software and Affected Versions Jenkins Azure AD Plugin versions 396.v86ce29279947 and earlier, except 378.380.v545b 1154b 3fb

Description The issue is related to a non-constant time comparison function used when checking whether the provided and expected CSRF protection nonce are equal. This potentially allows attackers to use statistical methods to obtain a valid nonce.

Recommendations For Jenkins Azure AD Plugin versions 396.v86ce29279947 and earlier, except 378.380.v545b 1154b 3fb , consider updating to a version that uses a constant time comparison function to prevent potential exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.