Skip to content

Commit

Permalink
correct CVE-2023-50770
Browse files Browse the repository at this point in the history
Signed-off-by: Weston Steimel <[email protected]>
  • Loading branch information
westonsteimel committed Nov 15, 2024
1 parent b85c70e commit 7bffe5a
Showing 1 changed file with 44 additions and 0 deletions.
44 changes: 44 additions & 0 deletions data/anchore/2023/CVE-2023-50770.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
{
"additionalMetadata": {
"cna": "jenkins",
"cveId": "CVE-2023-50770",
"description": "Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.",
"reason": "Fix incorrect CPE that was pointing to jenkins openid plugin rather than oic-auth. Also adds the fixed in version",
"references": [
"http://www.openwall.com/lists/oss-security/2023/12/13/4",
"https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3168"
]
},
"adp": {
"affected": [
{
"cpes": [
"cpe:2.3:a:jenkins:openid_connect_authentication:*:*:*:*:*:jenkins:*:*",
"cpe:2.3:a:org.jenkins-ci.plugins:oic-auth:*:*:*:*:*:jenkins:*:*"
],
"product": "Jenkins OpenId Connect Authentication Plugin",
"vendor": "Jenkins Project",
"versions": [
{
"lessThan": "4.229.vf736b_fec02f4",
"status": "affected",
"version": "0",
"versionType": "maven"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-8000-000000000000",
"shortName": "anchoreadp"
},
"references": [
{
"url": "https://github.com/jenkinsci/oic-auth-plugin/pull/287"
},
{
"url": "https://github.com/jenkinsci/oic-auth-plugin/commit/f736bfec02f4244cca6113c82d17a2e788b1c0a8"
}
]
}
}

0 comments on commit 7bffe5a

Please sign in to comment.