Login Sign Up

CVE-2023-37946

8.8 HIGH
Authentication Bypass

📋 TL;DR

The Jenkins OpenShift Login Plugin vulnerability allows session fixation attacks where previous sessions aren't invalidated upon new login. This enables attackers to hijack user sessions by obtaining or predicting session IDs. Affects Jenkins instances using the OpenShift Login Plugin for authentication.

💻 Affected Systems

Products:
  • Jenkins OpenShift Login Plugin
Versions: 1.1.0.227.v27e08dfb_1a_20 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Jenkins installations using the OpenShift Login Plugin for authentication. Standard Jenkins installations without this plugin are not vulnerable.

📦 What is this software?

Openshift Login by Jenkins

View all CVEs affecting Openshift Login →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could hijack administrator sessions, gaining full control over Jenkins to execute arbitrary code, steal credentials, modify configurations, or deploy malicious builds.

🟠

Likely Case

Attackers hijack user sessions to access sensitive build data, modify job configurations, or escalate privileges within the Jenkins environment.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the Jenkins instance itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the attacker to obtain or predict a valid session ID, which can be done through various session fixation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.0.228.vc7a_0b_0c3d26 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-2998

Restart Required: Yes

Instructions:

1. Update Jenkins OpenShift Login Plugin to version 1.1.0.228.vc7a_0b_0c3d26 or later via Jenkins Plugin Manager. 2. Restart Jenkins service. 3. Verify plugin version in Manage Jenkins > Plugin Manager.

🔧 Temporary Workarounds

Disable OpenShift Login Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

Navigate to Manage Jenkins > Plugin Manager > Installed tab, find 'OpenShift Login Plugin', click 'Disable'

Implement Session Timeout

all

Reduce session timeout duration to limit exposure window

In Jenkins configuration, set 'Session timeout' to a lower value (e.g., 30 minutes)

🧯 If You Can't Patch

  • Restrict network access to Jenkins to trusted IPs only
  • Implement multi-factor authentication for Jenkins logins

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins: Manage Jenkins > Plugin Manager > Installed tab, find 'OpenShift Login Plugin' and check version number.

Check Version:

Jenkins web interface: Manage Jenkins > Plugin Manager > Installed tab

Verify Fix Applied:

Verify plugin version is 1.1.0.228.vc7a_0b_0c3d26 or later in Plugin Manager, then test login to confirm new session invalidates previous one.

📡 Detection & Monitoring

Log Indicators:

  • Multiple successful logins from same user in quick succession
  • Session ID reuse across different IP addresses
  • Unusual authentication patterns

Network Indicators:

  • Multiple authentication requests with same session cookies
  • Session cookies being used from unexpected locations

SIEM Query:

source="jenkins.log" AND ("session" AND "login" AND "multiple" OR "concurrent")

📊 Metadata

CVE ID: CVE-2023-37946
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-384
Published: July 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37946, you might also want to check these:

CVE-2024-11317 10.0

CVE-2024-11317 is a session fixation vulnerability in ABB ASPECT, NEXUS, and MATRIX series products ...

Same vulnerability type (CWE-384)
CVE-2024-38513 10.0

This vulnerability in GoFiber's session middleware allows attackers to supply their own session_id, ...

Same vulnerability type (CWE-384)
CVE-2021-20151 10.0

This vulnerability allows session hijacking on Trendnet AC2600 routers by exploiting IP-based sessio...

Same vulnerability type (CWE-384)