CVE-2023-41936
Description
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison for tokens, enabling statistical token recovery attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Google Login Plugin 1.7 and earlier uses a non-constant time comparison for tokens, enabling statistical token recovery attacks.
Vulnerability
Summary
Jenkins Google Login Plugin versions 1.7 and earlier contain a timing vulnerability in the token comparison function used during the OAuth authentication flow. The plugin uses a non-constant time string comparison when checking whether the state parameter received from the client matches the expected value [1][3]. This differs from constant-time comparison methods (such as MessageDigest.isEqual()) that prevent side-channel attacks by ensuring comparison time does not reveal information about the correct value.
Exploitation
Details
An attacker can exploit this vulnerability without authentication by sending crafted OAuth requests to the Jenkins login endpoint. The non-constant time comparison allows statistical analysis of response timing, which can be used to deduce valid tokens character by character [1]. The attacker must be able to measure response times accurately, typically requiring local network access or being able to induce sufficient timing differences. The fix in version 1.8 replaces the comparison with MessageDigest.isEqual(), which executes in constant time [4].
Impact
Successful exploitation could allow an attacker to obtain a valid OAuth state token, which may be reused to impersonate a user during the login process. This could lead to unauthorized access to Jenkins instances configured with Google Login for authentication [1][2].
Mitigation
Jenkins has released Google Login Plugin version 1.8 which fixes this vulnerability by using a constant-time comparison function [2][4]. All users should upgrade to version 1.8 or later. As of September 2023 this issue is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-loginMaven | < 1.8 | 1.8 |
Affected products
2- Range: 0
Patches
12273af025ad0[SECURITY-3228]
1 file changed · +3 −1
src/main/java/org/jenkinsci/plugins/googlelogin/OAuthSession.java+3 −1 modified@@ -30,6 +30,7 @@ import hudson.model.Failure; import hudson.remoting.Base64; import hudson.util.HttpResponses; +import java.security.MessageDigest; import org.kohsuke.stapler.HttpRedirect; import org.kohsuke.stapler.HttpResponse; import org.kohsuke.stapler.Stapler; @@ -98,7 +99,8 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException { } try { AuthorizationCodeResponseUrl responseUrl = new AuthorizationCodeResponseUrl(buf.toString()); - if (! uuid.equals(responseUrl.getState())) { + String state = responseUrl.getState(); + if (state == null || !MessageDigest.isEqual(uuid.getBytes(StandardCharsets.UTF_8), state.getBytes(StandardCharsets.UTF_8))) { return HttpResponses.error(401, "State is invalid"); } String code = responseUrl.getCode();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g58x-57fv-86jhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41936ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-06/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/06/9ghsaWEB
- github.com/jenkinsci/google-login-plugin/commit/2273af025ad06ee13ab73a5a070b10689c2db61eghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-06Jenkins Security Advisories · Sep 6, 2023