Jenkins Azure AD Plugin 396.v86ce29279947 and earlier, except 378.380.v545b_1154b_3fb_, uses a non-constant time comparison function when checking whether the provided and expected CSRF protection nonce are equal, potentially allowing attackers to use statistical methods to obtain a valid nonce.
[
{
"defaultStatus": "affected",
"product": "Jenkins Azure AD Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "397.v907382dd9b_98",
"versionType": "maven"
},
{
"lessThan": "378.*",
"status": "unaffected",
"version": "378.380.v545b_1154b_3fb_",
"versionType": "maven"
}
]
}
]