{
  "threat_severity" : "Important",
  "public_date" : "2024-01-09T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins: cross-site WebSocket hijacking",
    "id" : "2260182",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2260182"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller.", "A flaw was found in Jenkins where websocket access to the CLI does not perform origin validation of requests when they are made through the websocket endpoint." ],
  "affected_release" : [ {
    "product_name" : "OCP-Tools-4.12-RHEL-8",
    "release_date" : "2024-02-12T00:00:00Z",
    "advisory" : "RHSA-2024:0778",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8",
    "package" : "jenkins-0:2.426.3.1706515686-3.el8"
  }, {
    "product_name" : "OCP-Tools-4.13-RHEL-8",
    "release_date" : "2024-02-12T00:00:00Z",
    "advisory" : "RHSA-2024:0776",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.13::el8",
    "package" : "jenkins-0:2.426.3.1706516254-3.el8"
  }, {
    "product_name" : "OpenShift Developer Tools and Services for OCP 4.11",
    "release_date" : "2024-02-12T00:00:00Z",
    "advisory" : "RHSA-2024:0775",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8",
    "package" : "jenkins-0:2.426.3.1706516929-3.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-23898\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-23898\nhttp://www.openwall.com/lists/oss-security/2024/01/24/6\nhttps://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315" ],
  "name" : "CVE-2024-23898",
  "csaw" : false
}