CVE-2023-32997 — Jenkins CAS Plugin Session Fixation vulnerability

Description

Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the existing session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. CAS Plugin 1.6.3 invalidates the existing session on login.

How to fix CVE-2023-32997

To remediate CVE-2023-32997, upgrade the affected package to a fixed version below.

—upgrade to 1.6.3 or later

Is CVE-2023-32997 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.6.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-32997
WEBgithub.com/jenkinsci/cas-plugin/commit/3a33cc0175bcc18801faf9125afb38d495b5995f
WEBwww.jenkins.io/security/advisory/2023-05-16/#SECURITY-3000