2222709 – (CVE-2023-37946) CVE-2023-37946 Jenkins: Session fixation vulnerability in OpenShift Login Plugin

Bug 2222709 (CVE-2023-37946) - CVE-2023-37946 Jenkins: Session fixation vulnerability in OpenShift Login Plugin

Summary: CVE-2023-37946 Jenkins: Session fixation vulnerability in OpenShift Login Plugin

Keywords:
Status:	NEW
Alias:	CVE-2023-37946
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2222712
TreeView+	depends on / blocked

Reported:	2023-07-13 14:28 UTC by Zack Miele
Modified:	2023-07-17 13:53 UTC (History)
CC List:	8 users (show)
Fixed In Version:	OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Jenkins OpenShift Login Plugin. Affected versions of this plugin could allow a remote attacker to bypass security restrictions caused by not invalidating the existing session on login. By persuading a victim to visit a specially crafted Web site, an attacker can gain administrator access to Jenkins.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Zack Miele 2023-07-13 14:28:07 UTC

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.
https://www.jenkins.io/security/advisory/2023-07-12/

SECURITY-2998 / CVE-2023-37946
OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier does not
invalidate the existing session on login.

This allows attackers to use social engineering techniques to gain
administrator access to Jenkins.

Note You need to log in before you can comment on or make changes to this bug.