Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Azure_ad | Jenkins | * | 348.vefd011eea_20b (including) |
| Azure_ad | Jenkins | 378.vd6e2874a_69eb (including) | 396.v86ce29279947 (including) |
This Pillar covers several possibilities: