CVE-2023-32997
HIGH8.8EPSS 0.80%Jenkins CAS Plugin Session Fixation vulnerability
Published: 5/16/2023Modified: 2/16/2024
Description
Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. CAS Plugin 1.6.3 invalidates the existing session on login.
Affected packages (1)
- Maven/org.jenkins-ci.plugins:cas-pluginfrom 0, < 1.6.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |