GHSA-rwg5-2pv9-633w

Suggest an improvement
Source
https://github.com/advisories/GHSA-rwg5-2pv9-633w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-rwg5-2pv9-633w/GHSA-rwg5-2pv9-633w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rwg5-2pv9-633w
Aliases
  • CVE-2023-37946
Published
2023-07-12T18:30:38Z
Modified
2024-02-16T08:20:41.158673Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Jenkins OpenShift Login Plugin session fixation vulnerability
Details

Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb1a20 and earlier does not invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain administrator access to Jenkins.

OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432 invalidates the existing session on login.

References

Affected packages

Maven / org.openshift.jenkins:openshift-login

Package

Name
org.openshift.jenkins:openshift-login
View open source insights on deps.dev
Purl
pkg:maven/org.openshift.jenkins/openshift-login

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.0.230.v5d7030b

Affected versions

0.*

0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
0.10
0.11
0.12

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.0.26
1.0.27
1.0.28
1.0.29
1.1.0.227.v27e08dfb_1a_20