CVE-2023-37947 - Vulnerability Details

Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00082.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Jenkins Project

Jenkins OpenShift Login Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.0.227.v27e08dfb_1a_20

Configuration 1 [-]

cpe:2.3:a:jenkins:openshift_login:*:*:*:*:*:jenkins:*:*

Package	CPE	Advisory	Released Date
OCP-Tools-4.12-RHEL-8
jenkins-2-plugins-0:4.12.1706515741-1.el8	cpe:/a:redhat:ocp_tools:4.12::el8	RHSA-2024:0778	2024-02-12T00:00:00Z
OCP-Tools-4.14-RHEL-8
jenkins-2-plugins-0:4.14.1706516441-1.el8	cpe:/a:redhat:ocp_tools:4.14::el8	RHSA-2024:0777	2024-02-12T00:00:00Z

No data.

Project Subscriptions

Vendors	Products
Jenkins Subscribe	Openshift Login Subscribe
Jenkins Project Subscribe	Jenkins Openshift Login Plugin Subscribe
Redhat Subscribe	Ocp Tools Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2023-1934	Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
Github GHSA	GHSA-35gf-xjgf-96c5	Jenkins OpenShift Login Plugin vulnerable to Open Redirect

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/07/12/2
https://nvd.nist.gov/vuln/detail/CVE-2023-37947
https://www.cve.org/CVERecord?id=CVE-2023-37947
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999

History

Thu, 07 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jenkins Project Jenkins Project jenkins Openshift Login Plugin
CPEs		cpe:2.3:a:jenkins_project:jenkins_openshift_login_plugin::::::::
Vendors & Products		Jenkins Project Jenkins Project jenkins Openshift Login Plugin
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2023-07-12T15:52:49.789Z

Updated: 2024-11-07T14:56:33.403Z

Reserved: 2023-07-11T09:47:04.493Z

Link: CVE-2023-37947

Vulnrichment

Updated: 2024-08-02T17:23:27.820Z

NVD

Status : Modified

Published: 2023-07-12T16:15:13.277

Modified: 2024-11-21T08:12:31.180

Link: CVE-2023-37947

Redhat

Severity : Moderate

Publid Date: 2023-07-12T00:00:00Z

Links: CVE-2023-37947 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-601

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object