CVE-2023-33005 – org.jenkins-ci.plugins:wso2id-oauth

Package

Manager: maven
Name: org.jenkins-ci.plugins:wso2id-oauth
Vulnerable Version: >=0 <=1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00188 pctl0.40904

Details

Jenkins WSO2 Oauth Plugin Session Fixation vulnerability Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. As of publication of this advisory, there is no fix.

Metadata

Created: 2023-05-16T18:30:16Z
Modified: 2023-05-17T03:46:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-xxq2-74hw-vg6m/GHSA-xxq2-74hw-vg6m.json
CWE IDs: ["CWE-384", "CWE-613"]
Alternative ID: GHSA-xxq2-74hw-vg6m
Finding: F280
Auto approve: 1