search

yael-lindman / jenkins

Jenkins automation server
https://www.jenkins.io
MIT License
1 stars 0 forks source link

CVE-2022-45379 (High) detected in script-security-1.54.jar #105

Open mend-bolt-for-github[bot] opened 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

CVE-2022-45379 - High Severity Vulnerability

Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /test/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jenkins-ci/plugins/script-security/1.54/script-security-1.54.jar

Dependency Hierarchy: - matrix-project-1.14.jar (Root Library) - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in HEAD commit: 3abfb254ea347629c1aed893510d133a3831c30e

Found in base branch: master

Vulnerability Details

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

Publish Date: 2022-11-15

URL: CVE-2022-45379

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here