{ "threat_severity" : "Moderate", "public_date" : "2023-07-12T00:00:00Z", "bugzilla" : { "description" : "Jenkins: Open redirect vulnerability in OpenShift Login Plugin", "id" : "2222710", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2222710" }, "cvss3" : { "cvss3_base_score" : "4.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-601", "details" : [ "Jenkins OpenShift Login Plugin 1.1.0.227.v27e08dfb_1a_20 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.", "A flaw was found in the Jenkins OpenShift Login Plugin. Affected versions of this plugin could allow a remote attacker to conduct phishing attacks caused by an open redirect vulnerability. An attacker can use a specially crafted URL to redirect a victim to arbitrary web sites." ], "affected_release" : [ { "product_name" : "OCP-Tools-4.12-RHEL-8", "release_date" : "2024-02-12T00:00:00Z", "advisory" : "RHSA-2024:0778", "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8", "package" : "jenkins-2-plugins-0:4.12.1706515741-1.el8" }, { "product_name" : "OCP-Tools-4.14-RHEL-8", "release_date" : "2024-02-12T00:00:00Z", "advisory" : "RHSA-2024:0777", "cpe" : "cpe:/a:redhat:ocp_tools:4.14::el8", "package" : "jenkins-2-plugins-0:4.14.1706516441-1.el8" } ], "package_state" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-37947\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-37947\nhttps://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2999" ], "name" : "CVE-2023-37947", "csaw" : false }