Script Security Vulnerability in Jenkins Plugin by Jenkins
CVE-2022-45379

7.5HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Script Security Plugin
Vendor: CVE Published:; 15 November 2022

Summary

The Jenkins Script Security Plugin prior to version 1189.vb_a_b_7c8fd5fde is susceptible to security risks due to the storage method of script approvals. It utilizes the SHA-1 hash of the whole-script approvals, which opens the door to potential collision attacks, enabling malicious actors to craft scripts capable of bypassing security measures. Organizations using this plugin should ensure they update to the latest version to mitigate these vulnerabilities.

Affected Version(s)

Jenkins Script Security Plugin <= 1189.vb_a_b_7c8fd5fde

Jenkins Script Security Plugin 1175.1179.vea_f7532629e1

References

https://www.jenkins.io/security/advisory/2022-11-15/#SECU...

http://www.openwall.com/lists/oss-security/2022/11/15/4

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 15, 2022
Vulnerability Reserved
Nov 14, 2022