1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2564

[JENKINS:SECURITY-2564] Whole-script approval in `script-security` vulnerable to SHA-1 collisions

Severity High
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

script-security 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the https://en.wikipedia.org/wiki/SHA-1[SHA-1 hash] of the approved script.
SHA-1 no longer meets the security standards for producing a cryptographically secure message digest.

script-security 1190.v65867a_a_47126 uses SHA-512 for new whole-script approvals.
Previously approved scripts will have their SHA-1 based whole-script approval replaced with a corresponding SHA-512 whole-script approval when the script is next used.

NOTE: Whole-script approval only stores the SHA-1 or SHA-512 hash, so it is not possible to migrate all previously approved scripts automatically on startup.

Administrators concerned about SHA-1 collision attacks on the whole-script approval feature are able to revoke all previous (SHA-1) script approvals on the In-Process Script Approval page.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/script-security <= 1189.vb_a_b_7c8fd5fde
pkg:github/jenkinsci/script-security-plugin <= 1189.vb_a_b_7c8fd5fde
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/script-security = 1190.v65867a_a_47126
pkg:github/jenkinsci/script-security-plugin = 1190.v65867a_a_47126
ID
JENKINS:SECURITY-2564
Severity
high
Published
2022-11-15T00:00:00
(22 months ago)
Modified
2022-11-15T00:00:00
(22 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository script-security repository https://github.com/jenkinsci/script-security-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/script-security org.jenkins-ci.plugins script-security <= 1189.vb_a_b_7c8fd5fde
Fixed pkg:maven/org.jenkins-ci.plugins/script-security org.jenkins-ci.plugins script-security = 1190.v65867a_a_47126
Affected pkg:github/jenkinsci/script-security-plugin jenkinsci script-security-plugin <= 1189.vb_a_b_7c8fd5fde
Fixed pkg:github/jenkinsci/script-security-plugin jenkinsci script-security-plugin = 1190.v65867a_a_47126
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date