ghsa-fv42-mx39-6fpw
Vulnerability from github
Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the approved script. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest.
Script Security Plugin 1190.v65867a_a_47126 uses SHA-512 for new whole-script approvals. Previously approved scripts will have their SHA-1 based whole-script approval replaced with a corresponding SHA-512 whole-script approval when the script is next used.
Whole-script approval only stores the SHA-1 or SHA-512 hash, so it is not possible to migrate all previously approved scripts automatically on startup.
Administrators concerned about SHA-1 collision attacks on the whole-script approval feature are able to revoke all previous (SHA-1) script approvals on the In-Process Script Approval page.
{ affected: [ { database_specific: { last_known_affected_version_range: "<= 1189.vb", }, package: { ecosystem: "Maven", name: "org.jenkins-ci.plugins:script-security", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1190.v65867a_a_47126", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2022-45379", ], database_specific: { cwe_ids: [ "CWE-326", "CWE-328", ], github_reviewed: true, github_reviewed_at: "2022-11-21T22:20:41Z", nvd_published_at: "2022-11-15T20:15:00Z", severity: "HIGH", }, details: "Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the [SHA-1 hash](https://en.wikipedia.org/wiki/SHA-1) of the approved script. SHA-1 no longer meets the security standards for producing a cryptographically secure message digest.\n\nScript Security Plugin 1190.v65867a_a_47126 uses SHA-512 for new whole-script approvals. Previously approved scripts will have their SHA-1 based whole-script approval replaced with a corresponding SHA-512 whole-script approval when the script is next used.\n\nWhole-script approval only stores the SHA-1 or SHA-512 hash, so it is not possible to migrate all previously approved scripts automatically on startup.\n\nAdministrators concerned about SHA-1 collision attacks on the whole-script approval feature are able to revoke all previous (SHA-1) script approvals on the In-Process Script Approval page.", id: "GHSA-fv42-mx39-6fpw", modified: "2022-12-15T18:45:27Z", published: "2022-11-16T12:00:22Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45379", }, { type: "WEB", url: "https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66", }, { type: "PACKAGE", url: "https://github.com/jenkinsci/script-security-plugin", }, { type: "WEB", url: "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564", }, { type: "WEB", url: "http://www.openwall.com/lists/oss-security/2022/11/15/4", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", type: "CVSS_V3", }, ], summary: "Whole-script approval in Jenkins Script Security Plugin vulnerable to SHA-1 collisions", }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.