Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oamg4LTlneGgtY3g0eM4AAzXP
Jenkins CAS Plugin Session Fixation vulnerability
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login.
This allows attackers to use social engineering techniques to gain administrator access to Jenkins.
CAS Plugin 1.6.3 invalidates the existing session on login.
Permalink: https://github.com/advisories/GHSA-hjh8-9gxh-cx4xJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oamg4LTlneGgtY3g0eM4AAzXP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 months ago
Updated: 4 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-hjh8-9gxh-cx4x, CVE-2023-32997
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-32997
- https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3000
- https://github.com/jenkinsci/cas-plugin/commit/3a33cc0175bcc18801faf9125afb38d495b5995f
- https://github.com/advisories/GHSA-hjh8-9gxh-cx4x
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:cas-plugin
Affected Version Ranges: < 1.6.3Fixed in: 1.6.3