CVE-2023-41935
Description
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Azure AD Plugin uses a non-constant time comparison for CSRF nonces, enabling statistical timing attacks to forge a valid nonce.
Root
Cause CVE-2023-41935 affects the Jenkins Azure AD Plugin version 396.v86ce29279947 and earlier (excluding the fixed version 378.380.v545b_1154b_3fb_). The plugin uses a non-constant time comparison function when verifying whether a provided CSRF protection nonce matches the expected value [1][3]. Unlike a constant-time comparison, this implementation does not execute in a fixed amount of time, causing execution time to vary based on the comparison result.
Exploitation
An attacker can exploit this timing discrepancy by sending a series of crafted requests and measuring the server's response times. Over many attempts, statistical methods can be used to infer the correct nonce byte-by-byte [1][3]. No authentication is required for this attack, as the CSRF protection targets unauthenticated or low-privilege requests; however, the attacker must be able to send network requests to the Jenkins controller and measure response timing with sufficient precision.
Impact
By obtaining a valid nonce, an attacker can forge a CSRF token and bypass the plugin's cross-site request forgery protection. This allows them to craft malicious requests that appear legitimate to Jenkins, potentially leading to unauthorized actions on the Jenkins controller.
Mitigation
The Jenkins security advisory recommends upgrading to Azure AD Plugin version 397.v907382dd9b_98 or 378.380.v545b_1154b_3fb_, which implements a constant-time comparison function [1][2]. All affected instances should update to the fixed versions as soon as possible.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:azure-adMaven | >= 378.380.v545b, < 397.v907382dd9b | 397.v907382dd9b |
org.jenkins-ci.plugins:azure-adMaven | < 378.vd6e2874a | 378.vd6e2874a |
Affected products
3- Range: <=396.v86ce29279947
- Range: 397.v907382dd9b_98
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hj7p-h74j-6gxjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41935ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-06/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/06/9ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-06Jenkins Security Advisories · Sep 6, 2023