Lucene search

GitHub Advisory DatabaseGHSA-7XGJ-J9HP-C692

HistoryMay 16, 2023 - 6:30 p.m.

Jenkins WSO2 Oauth Plugin cross-site request forgery vulnerability

2023-05-1618:30:16

CWE-352

GitHub Advisory Database

github.com

jenkins

wso2

oauth

plugin

cross-site request forgery

vulnerability

authentication

attack

fix

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

16.2%

JSON

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not implement a state parameter in its OAuth flow, a unique and non-guessable value associated with each authentication request.

This vulnerability allows attackers to trick users into logging in to the attacker’s account.

As of publication of this advisory, there is no fix.

Affected configurations

Vulners

Node

wp-oauthwp_oauth_serverRange≤1.0wordpress

CPENameOperatorVersion
org.jenkins-ci.plugins:wso2id-oauthle1.0

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:wso2id-oauth	le	1.0

References

github.com/advisories/GHSA-7xgj-j9hp-c692

nvd.nist.gov/vuln/detail/CVE-2023-33006

www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2990

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

16.2%

JSON

Related for GHSA-7XGJ-J9HP-C692