Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-FV42-MX39-6FPW
HistoryNov 16, 2022 - 12:00 p.m.

Whole-script approval in Jenkins Script Security Plugin vulnerable to SHA-1 collisions

2022-11-1612:00:22
CWE-326
CWE-328
GitHub Advisory Database
github.com
12
jenkins
script security
sha-1
sha-512
vulnerable
upgrade
collisions
administrators

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

52.5%

JSON

Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the approved script. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest.

Script Security Plugin 1190.v65867a_a_47126 uses SHA-512 for new whole-script approvals. Previously approved scripts will have their SHA-1 based whole-script approval replaced with a corresponding SHA-512 whole-script approval when the script is next used.

Whole-script approval only stores the SHA-1 or SHA-512 hash, so it is not possible to migrate all previously approved scripts automatically on startup.

Administrators concerned about SHA-1 collision attacks on the whole-script approval feature are able to revoke all previous (SHA-1) script approvals on the In-Process Script Approval page.

Affected configurations

Vulners
Node
org.jenkins-ci.pluginsscript-securityRange1189.vb
VendorProductVersionCPE
org.jenkins-ci.pluginsscript-security*cpe:2.3:a:org.jenkins-ci.plugins:script-security:*:*:*:*:*:*:*:*

Related

prion 1
nvd 1
veracode 1
cve 1
cvelist 1
osv 2
redhatcve 1
alpinelinux 1
ibm 2
nessus 6
redhat 3
prion
prion
Design/Logic Flaw
2022-11-15 20:15:00
nvd
nvd
CVE-2022-45379
2022-11-15 20:15:11
veracode
veracode
Collision Attack
2023-03-07 00:49:51
cve
cve
CVE-2022-45379
2022-11-15 20:15:11
cvelist
cvelist
CVE-2022-45379
2022-11-15 00:00:00
osv
osv
CVE-2022-45379
2022-11-15 20:15:11
Whole-script approval in Jenkins Script Security Plugin vulnerable to SHA-1 collisions
2022-11-16 12:00:22
redhatcve
redhatcve
CVE-2022-45379
2022-11-16 02:55:58
alpinelinux
alpinelinux
CVE-2022-45379
2022-11-15 20:15:11
ibm
ibm
Security Bulletin: IBM Automation Decision Services - Multiple CVEs addressed (February 2024)
2024-03-11 09:56:22
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for February 2024.
2024-03-01 19:39:59
nessus
nessus
RHEL 8 : OpenShift Container Platform 4.10.51 (RHSA-2023:0560)
2024-04-28 00:00:00
RHCOS 4 : OpenShift Container Platform 4.10.51 (RHSA-2023:0560)
2024-01-24 00:00:00
Jenkins plugins Multiple Vulnerabilities (2022-11-15)
2023-08-04 00:00:00
redhat
redhat
(RHSA-2023:0560) Critical: OpenShift Container Platform 4.10.51 security update
2023-02-08 18:32:53
(RHSA-2023:0777) Critical: OpenShift Container Platform 4.9.56 security update
2023-02-22 23:54:53
(RHSA-2023:0778) Moderate: OpenShift Container Platform 4.9.56 security update
2023-02-22 23:47:54

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

52.5%

JSON
Related for GHSA-FV42-MX39-6FPW
prion1nvd1veracode1cve1cvelist1osv2redhatcve1alpinelinux1ibm2nessus6redhat3