search

hygieia / hygieia-publisher-jenkins-plugin

Jenkins Plugin to publish build and pipeline data to Hygieia
https://github.com/Hygieia/Hygieia/blob/gh-pages/pages/hygieia/hygieia-jenkins-plugin/hygieia-jenkins-plugin.md
Apache License 2.0
4 stars 25 forks source link

CVE-2022-45379 (High) detected in script-security-1.66.jar #178

Open mend-bolt-for-github[bot] opened 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

CVE-2022-45379 - High Severity Vulnerability

Vulnerable Library - script-security-1.66.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jenkins-ci/plugins/script-security/1.66/script-security-1.66.jar

Dependency Hierarchy: - git-4.2.1.jar (Root Library) - :x: **script-security-1.66.jar** (Vulnerable Library)

Found in HEAD commit: 97ed2b7fe477b78f0b26191e5950825314db7b2c

Found in base branch: master

Vulnerability Details

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

Publish Date: 2022-11-15

URL: CVE-2022-45379

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here