GHSA-hjh8-9gxh-cx4x

Source

https://github.com/advisories/GHSA-hjh8-9gxh-cx4x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-hjh8-9gxh-cx4x/GHSA-hjh8-9gxh-cx4x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hjh8-9gxh-cx4x

Aliases

CVE-2023-32997

Published

2023-05-16T18:30:16Z

Modified

2024-02-16T08:17:50.793369Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Jenkins CAS Plugin Session Fixation vulnerability

Details

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

CAS Plugin 1.6.3 invalidates the existing session on login.

Database specific

{
    "nvd_published_at": "2023-05-16T17:15:12Z",
    "cwe_ids": [
        "CWE-384"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T03:35:52Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:cas-plugin

Package

Name: org.jenkins-ci.plugins:cas-plugin; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cas-plugin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.3

Affected versions

1.*

1.0.0

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.4.0

1.4.1

1.4.2

1.4.3

1.5.0

1.6.0

1.6.1

1.6.2