{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37947", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2023-07-11T09:47:04.493Z", "datePublished": "2023-07-12T15:52:49.789Z", "dateUpdated": "2024-11-07T14:56:33.403Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Jenkins OpenShift Login Plugin", "vendor": "Jenkins Project", "versions": [{"lessThanOrEqual": "1.1.0.227.v27e08dfb_1a_20", "status": "affected", "version": "0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "value": "Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T12:50:49.914Z"}, "references": [{"name": "Jenkins Security Advisory 2023-07-12", "tags": ["vendor-advisory"], "url": "https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/12/2"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:23:27.820Z"}, "title": "CVE Program Container", "references": [{"name": "Jenkins Security Advisory 2023-07-12", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999"}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/12/2", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "jenkins_project", "product": "jenkins_openshift_login_plugin", "cpes": ["cpe:2.3:a:jenkins_project:jenkins_openshift_login_plugin:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.0.227.v27e08dfb_1a_20", "versionType": "maven"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-07T14:56:27.931545Z", "id": "CVE-2023-37947", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-07T14:56:33.403Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999", "name": "Jenkins Security Advisory 2023-07-12", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/12/2", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:23:27.820Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-07T14:56:27.931545Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:jenkins_project:jenkins_openshift_login_plugin:*:*:*:*:*:*:*:*"], "vendor": "jenkins_project", "product": "jenkins_openshift_login_plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "1.1.0.227.v27e08dfb_1a_20"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-07T14:56:13.547Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins OpenShift Login Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "1.1.0.227.v27e08dfb_1a_20"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999", "name": "Jenkins Security Advisory 2023-07-12", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/07/12/2"}], "descriptions": [{"lang": "en", "value": "Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T12:50:49.914Z"}}}, "cveMetadata": {"cveId": "CVE-2023-37947", "state": "PUBLISHED", "dateUpdated": "2024-11-07T14:56:33.403Z", "dateReserved": "2023-07-11T09:47:04.493Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2023-07-12T15:52:49.789Z", "assignerShortName": "jenkins"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:openshift_login:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "02F96046-4EAB-4EE0-BE5D-726C599415A5", "versionEndExcluding": "1.1.0.230.v5d7030b_f5432", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks."}], "id": "CVE-2023-37947", "lastModified": "2024-11-21T08:12:31.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-12T16:15:13.277", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/07/12/2"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/07/12/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0778", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1706515741-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0777", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1706516441-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}], "bugzilla": {"description": "Jenkins: Open redirect vulnerability in OpenShift Login Plugin", "id": "2222710", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222710"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-601", "details": ["Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.", "A flaw was found in the Jenkins OpenShift Login Plugin. Affected versions of this plugin could allow a remote attacker to conduct phishing attacks caused by an open redirect vulnerability. An attacker can use a specially crafted URL to redirect a victim to arbitrary web sites."], "name": "CVE-2023-37947", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2023-07-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-37947\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-37947\nhttps://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999"], "threat_severity": "Moderate", "upstream_fix": "OpenShift Login Plugin 1.1.0.230.v5d7030b_f5432"}