GHSA-hj7p-h74j-6gxj

Suggest an improvement
Source
https://github.com/advisories/GHSA-hj7p-h74j-6gxj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hj7p-h74j-6gxj/GHSA-hj7p-h74j-6gxj.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hj7p-h74j-6gxj
Aliases
Published
2023-09-06T15:30:26Z
Modified
2024-01-30T23:41:38.861059Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Non-constant time nonce comparison in Jenkins Microsoft Entra ID (previously Azure AD) Plugin
Details

Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b1154b3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.

Database specific
{
    "nvd_published_at": "2023-09-06T13:15:10Z",
    "cwe_ids": [
        "CWE-697"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T23:10:45Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:azure-ad

Package

Name
org.jenkins-ci.plugins:azure-ad
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/azure-ad

Affected ranges

Type
ECOSYSTEM
Events
Introduced
378.380.v545b
Fixed
397.v907382dd9b

Affected versions

378.*

378.380.v545b_1154b_3fb_

385.*

385.v5d9f88612dd2

391.*

391.v252da_e1dd39c

392.*

392.v4e15d33fe85d

393.*

393.v03d1cfd50759

396.*

396.v86ce29279947

Database specific

{
    "last_known_affected_version_range": "<= 396.v86ce29279947"
}

Maven / org.jenkins-ci.plugins:azure-ad

Package

Name
org.jenkins-ci.plugins:azure-ad
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/azure-ad

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
378.vd6e2874a

Affected versions

0.*

0.1.1
0.1.1-1
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4

1.*

1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3

146.*

146.vb688d1511c38

150.*

150.vb3db9f880321

152.*

152.v1609ed460604

153.*

153.v7af57b288088

154.*

154.v12e17a5f9ea3

155.*

155.v745ce80af7ea

157.*

157.v2d3d5782a602

158.*

158.v437429002c6b

164.*

164.v5b48baa961d2

165.*

165.v36344b7d7ca7

167.*

167.v34c2c5a3a030

168.*

168.ve6e7e368dbf6

170.*

170.v0a6219442a99

171.*

171.v9ef20c94d336

172.*

172.vf6a517c3329a

173.*

173.v0a210fffb510

174.*

174.vc2d906355813

175.*

175.v5513346d764a

177.*

177.v80b6c1591bf9

178.*

178.v7b93892fbe4c

179.*

179.vf6841393099e

180.*

180.v8b1e80e6f242

183.*

183.vf8c6fa4c6567

184.*

184.v44f04b65bdd5

185.*

185.v3b416408dcb1

188.*

188.v2369adb95a31

189.*

189.v2da14dccdb43

190.*

190.v872b1977148a

191.*

191.vfc8019068670

194.*

194.v70a6d5203ce4

195.*

195.v8555a0bf0d22

213.*

213.v5b_00db_295f49

218.*

218.v90f6a_980b_a_61

233.*

233.v934e074916c7

234.*

234.vb_ece34ecd5ff

241.*

241.vb_e5cd7c35b_2e

267.*

267.v5b_dfb_514d9fd

303.*

303.va_91ef20ee49f

306.*

306.va_7083923fd50

308.*

308.v10a_6e24f30b_4

313.*

313.v14b_f37ff114d

336.*

336.vd05b_01358644

340.*

340.vdef002cf6415

345.*

345.vdb_07735a_767d

348.*

348.vefd011eea_20b_

349.*

349.vc02b_a_0b_142a_8