{ "threat_severity" : "Moderate", "public_date" : "2018-10-10T00:00:00Z", "bugzilla" : { "description" : "jenkins: Session fixation vulnerability on user signup", "id" : "1642885", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1642885" }, "cvss3" : { "cvss3_base_score" : "5.4", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-384", "details" : [ "A session fixation vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java that prevented Jenkins from invalidating the existing session and creating a new one when a user signed up for a new user account." ], "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-enterprise-service-catalog-1:3.11.51-1.git.1671.2d16650.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-0:3.11.51-1.git.0.1560686.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-cluster-autoscaler-0:3.11.51-1.git.0.0aa9fc2.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-descheduler-0:3.11.51-1.git.300.89070e8.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-dockerregistry-0:3.11.51-1.git.446.d29ce0e.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-metrics-server-0:3.11.51-1.git.52.03e3a91.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-node-problem-detector-0:3.11.51-1.git.254.22189b0.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-service-idler-0:3.11.51-1.git.14.813574a.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-web-console-0:3.11.51-1.git.324.0ae64ed.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "cri-o-0:1.11.10-1.rhaos3.11.git42c86f0.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "golang-github-openshift-oauth-proxy-0:3.11.51-1.git.419.1af74df.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "golang-github-prometheus-alertmanager-0:3.11.51-1.git.0.50a0687.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "golang-github-prometheus-node_exporter-0:3.11.51-1.git.1063.12dd8be.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "golang-github-prometheus-prometheus-0:3.11.51-1.git.5023.0ad933c.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "jenkins-0:2.138.2.1542054911-1.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "jenkins-2-plugins-0:3.11.1542061886-1.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "kibana-0:5.6.13-1.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift-ansible-0:3.11.51-2.git.0.51c90a3.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift-enterprise-autoheal-0:3.11.51-1.git.219.8ea4275.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift-enterprise-cluster-capacity-0:3.11.51-1.git.380.ffa21af.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift-monitor-project-lifecycle-0:3.11.51-1.git.59.7b59e29.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-12-12T00:00:00Z", "advisory" : "RHBA-2018:3743", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "openshift-monitor-sample-app-0:3.11.51-1.git.5.f6d0188.el7" } ], "package_state" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.10", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.10" }, { "product_name" : "Red Hat OpenShift Container Platform 3.4", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.4" }, { "product_name" : "Red Hat OpenShift Container Platform 3.5", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.5" }, { "product_name" : "Red Hat OpenShift Container Platform 3.6", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1000409\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000409\nhttps://jenkins.io/security/advisory/2018-10-10/#SECURITY-1158" ], "name" : "CVE-2018-1000409", "csaw" : false }