CVE-2023-41935
📋 TL;DR
This vulnerability in Jenkins Azure AD Plugin allows attackers to potentially bypass CSRF protection through timing attacks. By exploiting non-constant time comparison of nonce values, attackers could statistically determine valid nonces and perform CSRF attacks. This affects Jenkins instances using Azure AD Plugin versions 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_.
💻 Affected Systems
- Jenkins Azure AD Plugin
📦 What is this software?
Azure Ad by Jenkins
Azure Ad by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers could perform CSRF attacks to execute arbitrary actions as authenticated users, potentially leading to privilege escalation, data manipulation, or unauthorized configuration changes.
Likely Case
Attackers could perform CSRF attacks to modify Jenkins configurations, create/delete jobs, or perform other authenticated actions without user consent.
If Mitigated
With proper network segmentation and access controls, impact is limited to authenticated actions within the Jenkins instance.
🎯 Exploit Status
Exploitation requires timing attacks and statistical analysis, making it complex but feasible with sufficient access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 397.v8b_36a_98b_0c6 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3227
Restart Required: Yes
Instructions:
1. Update Jenkins Azure AD Plugin to version 397.v8b_36a_98b_0c6 or later via Jenkins Plugin Manager. 2. Restart Jenkins instance. 3. Verify plugin version in Manage Jenkins > Plugin Manager.
🔧 Temporary Workarounds
Disable Azure AD Plugin
allTemporarily disable the vulnerable plugin if immediate patching is not possible.
Navigate to Manage Jenkins > Plugin Manager > Installed tab > Find 'Azure AD Plugin' > Click 'Disable'
🧯 If You Can't Patch
- Implement strict network access controls to limit Jenkins access to trusted sources only
- Enable CSRF protection at network level using WAF rules or reverse proxy configurations
🔍 How to Verify
Check if Vulnerable:
Check Azure AD Plugin version in Jenkins: Manage Jenkins > Plugin Manager > Installed tab > Find 'Azure AD Plugin' and check version number.Check Version:
curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"shortName":"azure-ad","version":"[^"]*"'Verify Fix Applied:
Verify Azure AD Plugin version is 397.v8b_36a_98b_0c6 or later in Plugin Manager.📡 Detection & Monitoring
Log Indicators:
- Unusual CSRF token validation failures
- Multiple failed authentication attempts with timing patterns
- Unexpected plugin activity logs
Network Indicators:
- Unusual timing patterns in HTTP requests to Jenkins CSRF endpoints
- Repeated nonce validation attempts
SIEM Query:
source="jenkins.log" AND ("CSRF" OR "nonce") AND ("failed" OR "invalid") AND count by src_ip > threshold