Vulnerability Details : CVE-2022-45379
Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.
Products affected by CVE-2022-45379
- cpe:2.3:a:jenkins:script_security:*:*:*:*:*:jenkins:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-45379
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-45379
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-45379
-
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.Assigned by: nvd@nist.gov (Primary)
-
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).Assigned by: jenkinsci-cert@googlegroups.com (Secondary)
References for CVE-2022-45379
-
http://www.openwall.com/lists/oss-security/2022/11/15/4
oss-security - Multiple vulnerabilities in Jenkins pluginsMailing List
-
https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564
Jenkins Security Advisory 2022-11-15Vendor Advisory
Jump to