PT-2023-3964 · Jenkins · Jenkins Openshift Login Plugin+1

Kevin Guerroudj

Published

2023-07-12

Updated

2023-07-26

CVE-2023-37946

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins OpenShift Login Plugin versions 1.1.0.227.v27e08dfb 1a 20 and earlier

Description The issue is related to incorrect session management in the Jenkins OpenShift Login Plugin. This can allow a remote attacker to bypass security restrictions. The problem arises because the plugin does not invalidate the previous session on login, which can be exploited using social engineering techniques to gain administrator access to Jenkins.

Recommendations For Jenkins OpenShift Login Plugin versions 1.1.0.227.v27e08dfb 1a 20 and earlier, update to version 1.1.0.230.v5d7030b f5432 or later, which invalidates the existing session on login. As a temporary workaround, consider restricting access to the plugin until the update can be applied.

Fix

Session Fixation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384

Related Identifiers

BDU:2023-04259

CVE-2023-37946

GHSA-RWG5-2PV9-633W

RHSA-2024:0775

RHSA-2024:0776

RHSA-2024:0777

Affected Products

Jenkins

Jenkins Openshift Login Plugin

PT-2023-3964 · Jenkins · Jenkins Openshift Login Plugin+1

CVE-2023-37946

Weakness Enumeration

Related Identifiers

Affected Products

References · 11