CVE-2023-32997 – org.jenkins-ci.plugins:cas-plugin

Package

Manager: maven
Name: org.jenkins-ci.plugins:cas-plugin
Vulnerable Version: >=0 <1.6.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00189 pctl0.41005

Details

Jenkins CAS Plugin Session Fixation vulnerability Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. CAS Plugin 1.6.3 invalidates the existing session on login.

Metadata

Created: 2023-05-16T18:30:16Z
Modified: 2023-05-17T03:35:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-hjh8-9gxh-cx4x/GHSA-hjh8-9gxh-cx4x.json
CWE IDs: ["CWE-384"]
Alternative ID: GHSA-hjh8-9gxh-cx4x
Finding: F280
Auto approve: 1