Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-45379

UNKNOWN
Published 2022-11-15T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-45379. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Jenkins project

Jenkins Script Security Plugin

Affected Versions:

unspecified 1175.1179.vea_f7532629e1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Whole-script approval in Jenkins Script Security Plugin vulnerable to SHA-1 collisions

GHSA-fv42-mx39-6fpw

Advisory Details

Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the [SHA-1 hash](https://en.wikipedia.org/wiki/SHA-1) of the approved script. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest. Script Security Plugin 1190.v65867a_a_47126 uses SHA-512 for new whole-script approvals. Previously approved scripts will have their SHA-1 based whole-script approval replaced with a corresponding SHA-512 whole-script approval when the script is next used. Whole-script approval only stores the SHA-1 or SHA-512 hash, so it is not possible to migrate all previously approved scripts automatically on startup. Administrators concerned about SHA-1 collision attacks on the whole-script approval feature are able to revoke all previous (SHA-1) script approvals on the In-Process Script Approval page.

Affected Packages

Maven org.jenkins-ci.plugins:script-security
ECOSYSTEM: ≥0 <1190.v65867a_a_47126

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-45379
WEB https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66
PACKAGE https://github.com/jenkinsci/script-security-plugin
WEB https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564
WEB http://www.openwall.com/lists/oss-security/2022/11/15/4

Advisory provided by GitHub Security Advisory Database. Published: November 16, 2022, Modified: December 15, 2022

References

https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564
http://www.openwall.com/lists/oss-security/2022/11/15/4
Published: 2022-11-15T00:00:00
Last Modified: 2024-08-03T14:09:57.037Z
Copied to clipboard!