Maven package
org.jenkins-ci.plugins/azure-ad
pkg:maven/org.jenkins-ci.plugins/azure-ad
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42525 | Med | 4.3 | < 667.v4c5827a | 667.v4c5827a | Apr 29, 2026 | Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks. | |
| CVE-2023-41935 | — | >= 378.380.v545b, < 397.v907382dd9b | 397.v907382dd9b | Sep 6, 2023 | Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtai | ||
| CVE-2023-24426 | — | <= 303.va | — | Jan 24, 2023 | Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login. | ||
| CVE-2021-21679 | — | < 180.v8b1e80e6f242 | 180.v8b1e80e6f242 | Aug 31, 2021 | Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. | ||
| CVE-2020-2119 | — | < 1.2.0 | 1.2.0 | Feb 12, 2020 | Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. | ||
| CVE-2019-10318 | — | < 0.3.4 | 0.3.4 | Apr 30, 2019 | Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system. |
- affected < 667.v4c5827afixed 667.v4c5827a
Jenkins Microsoft Entra ID (previously Azure AD) Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.
- CVE-2023-41935Sep 6, 2023affected >= 378.380.v545b, < 397.v907382dd9bfixed 397.v907382dd9b
Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtai
- CVE-2023-24426Jan 24, 2023affected <= 303.va
Jenkins Azure AD Plugin 303.va_91ef20ee49f and earlier does not invalidate the previous session on login.
- CVE-2021-21679Aug 31, 2021affected < 180.v8b1e80e6f242fixed 180.v8b1e80e6f242
Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins.
- CVE-2020-2119Feb 12, 2020affected < 1.2.0fixed 1.2.0
Jenkins Azure AD Plugin 1.1.2 and earlier transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.
- CVE-2019-10318Apr 30, 2019affected < 0.3.4fixed 0.3.4
Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.