CVE-2023-37947 - Vulnerability Details

Description

Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

Published: 2023-07-12

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Jenkins Project

Jenkins OpenShift Login Plugin

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.0.227.v27e08dfb_1a_20

Configuration 1 [-]

cpe:2.3:a:jenkins:openshift_login:*:*:*:*:*:jenkins:*:*

Package	CPE	Advisory	Released Date
OCP-Tools-4.12-RHEL-8
jenkins-2-plugins-0:4.12.1706515741-1.el8	cpe:/a:redhat:ocp_tools:4.12::el8	RHSA-2024:0778	2024-02-12T00:00:00Z
OCP-Tools-4.14-RHEL-8
jenkins-2-plugins-0:4.14.1706516441-1.el8	cpe:/a:redhat:ocp_tools:4.14::el8	RHSA-2024:0777	2024-02-12T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-1934	Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
Github GHSA	GHSA-35gf-xjgf-96c5	Jenkins OpenShift Login Plugin vulnerable to Open Redirect

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00082.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/07/12/2
https://nvd.nist.gov/vuln/detail/CVE-2023-37947
https://www.cve.org/CVERecord?id=CVE-2023-37947
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999

History

Thu, 07 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jenkins Project Jenkins Project jenkins Openshift Login Plugin
CPEs		cpe:2.3:a:jenkins_project:jenkins_openshift_login_plugin::::::::
Vendors & Products		Jenkins Project Jenkins Project jenkins Openshift Login Plugin
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Jenkins Openshift Login

Jenkins Project Jenkins Openshift Login Plugin

Redhat Ocp Tools

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2023-07-12T15:52:49.789Z

Updated: 2024-11-07T14:56:33.403Z

Reserved: 2023-07-11T09:47:04.493Z

Link: CVE-2023-37947

Vulnrichment

Updated: 2024-08-02T17:23:27.820Z

NVD

Status : Modified

Published: 2023-07-12T16:15:13.277

Modified: 2024-11-21T08:12:31.180

Link: CVE-2023-37947

Redhat

Severity : Moderate

Publid Date: 2023-07-12T00:00:00Z

Links: CVE-2023-37947 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-601

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object