PT-2023-3964 · Jenkins · Jenkins Openshift Login Plugin+1

Kevin Guerroudj

Publicado

2023-07-12

Atualizado

2023-07-26

CVE-2023-37946

CVSS v2.0

Alta

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins OpenShift Login Plugin versions 1.1.0.227.v27e08dfb 1a 20 and earlier

Description The issue is related to incorrect session management in the Jenkins OpenShift Login Plugin. This can allow a remote attacker to bypass security restrictions. The problem arises because the plugin does not invalidate the previous session on login, which can be exploited using social engineering techniques to gain administrator access to Jenkins.

Recommendations For Jenkins OpenShift Login Plugin versions 1.1.0.227.v27e08dfb 1a 20 and earlier, update to version 1.1.0.230.v5d7030b f5432 or later, which invalidates the existing session on login. As a temporary workaround, consider restricting access to the plugin until the update can be applied.

Correção

Session Fixation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-384

Identificadores relacionados

BDU:2023-04259

CVE-2023-37946

GHSA-RWG5-2PV9-633W

RHSA-2024:0775

RHSA-2024:0776

RHSA-2024:0777

Produtos afetados

Jenkins

Jenkins Openshift Login Plugin

PT-2023-3964 · Jenkins · Jenkins Openshift Login Plugin+1

CVE-2023-37946

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11