{"id":"CVE-2022-45379","details":"Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.","aliases":["GHSA-fv42-mx39-6fpw"],"modified":"2026-04-12T03:22:23.821330Z","published":"2022-11-15T20:15:11.390Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2564"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2022/11/15/4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/script-security-plugin","events":[{"introduced":"0"},{"fixed":"65867aa471265a16198b92fb439782ba3554da66"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1190.v65867a_a_47126"}]}}],"versions":["1118.vba21ca2e3286","1125.v132f99385e1b_","1131.v8b_b_5eda_c328e","1138.v8e727069a_025","1140.vf967fb_efa_55a_","1145.vb_cf6cf6ed960","1146.vdf547f19a_473","1158.v7c1b_73a_69a_08","1172.v35f6a_0b_8207e","1175.v4b_d517d6db_f0","1183.v774b_0b_0a_a_451","1184.v85d16b_d851b_3","1189.vb_a_b_7c8fd5fde","script-security-1.0","script-security-1.0-beta-1","script-security-1.0-beta-2","script-security-1.0-beta-3","script-security-1.0-beta-4","script-security-1.0-beta-5","script-security-1.0-beta-6","script-security-1.1","script-security-1.10","script-security-1.11","script-security-1.12","script-security-1.13","script-security-1.14","script-security-1.15","script-security-1.16","script-security-1.17","script-security-1.18","script-security-1.19","script-security-1.2","script-security-1.20","script-security-1.21","script-security-1.22","script-security-1.23","script-security-1.24","script-security-1.25","script-security-1.26","script-security-1.27","script-security-1.28","script-security-1.29","script-security-1.3","script-security-1.30","script-security-1.31","script-security-1.32","script-security-1.33","script-security-1.34","script-security-1.35","script-security-1.36","script-security-1.37","script-security-1.38","script-security-1.39","script-security-1.4","script-security-1.40","script-security-1.41","script-security-1.42","script-security-1.43","script-security-1.44","script-security-1.45","script-security-1.46","script-security-1.47","script-security-1.48","script-security-1.49","script-security-1.5","script-security-1.50","script-security-1.51","script-security-1.52","script-security-1.53","script-security-1.54","script-security-1.55","script-security-1.56","script-security-1.57","script-security-1.58","script-security-1.59","script-security-1.6","script-security-1.60","script-security-1.61","script-security-1.62","script-security-1.63","script-security-1.64","script-security-1.65","script-security-1.66","script-security-1.67","script-security-1.68","script-security-1.69","script-security-1.7","script-security-1.70","script-security-1.71","script-security-1.72","script-security-1.73","script-security-1.74","script-security-1.75","script-security-1.76","script-security-1.77","script-security-1.78","script-security-1.8","script-security-1.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-45379.json","vanir_signatures_modified":"2026-04-12T03:22:23Z","vanir_signatures":[{"signature_type":"Function","digest":{"length":864,"function_hash":"256635158877751585222234242789932746639"},"target":{"function":"using","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-0511c6b4","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":518,"function_hash":"88360061607774274383566484070154635910"},"target":{"function":"ScriptApproval","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-1be5e10c","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Line","digest":{"line_hashes":["227933098372412897739306163180656334288","78010536403153579235636793446250086172","26501721091862214056503614876223577046","82986120004088221711500160374884790230"],"threshold":0.9},"target":{"file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/EntryApprovalTest.java"},"id":"CVE-2022-45379-2a45691d","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":406,"function_hash":"260085401826685322692113333199307986678"},"target":{"function":"hash","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-36502fb2","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":178,"function_hash":"25690599932531513004979134957108194650"},"target":{"function":"isClasspathEntryApproved","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-3bf4e0ef","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Line","digest":{"line_hashes":["260361940484754868619678433507258199135","257941114198674707603723178448821633431","302714639256601764060657704737401592947","133678551450884653251810597180862903740","250764844445063602303409351233805403831","91663333422710068654394273477238715037","191748208561920422989774371192298392091","275248652921560366798963398647857769444","276145280740184397218791875597204229259","122554235846930862130993899569107370856","228865471316424095314216169803624302583","285425833308302712803803511405897052358","134819231213317057835333891718519505596","251634121320348940618294280846274012810","321517032513668797305806634274336692885","197394741408185798328770338938301470409","220016837184672429461532410184879538689"],"threshold":0.9},"target":{"file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/JcascTest.java"},"id":"CVE-2022-45379-3d4b4266","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":485,"function_hash":"266175650221538550539642584560277956764"},"target":{"function":"setApprovedScriptHashes","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-493c98aa","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":1356,"function_hash":"146689737580251949961240982503556572301"},"target":{"function":"configuring","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-9d81fddc","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Line","digest":{"line_hashes":["230238605794982947447331014876973611795","25028590040622040997100991315843283341","262106430283825024943675215215367828556","133510901058071798228620524829430028104","26058737929186858734426633308565690771","79191464648435272242286539832212257808","311776135142131477794372634550704962898","56439753932451147732174495314286515367","327552152418712628139200389454602262808","138908799648786777805821985091308618844","95763722256861244071414080398644685812","154518304219346855392849056469734401164","11706297286840274125833611591298522910","104503755721414176091970801893577584462","174356380926134217729881322940655520180","26761686207080954486807356286763446630","158789097117041637163343486610642267349","311767448653330256420484369350421219810","132730892857703106799538454623997041180","228402441253557861922840378069876228999","224148789511539955850566154942431914478","24115426343467067309730303433636037107","128987205705974076450088607280089850250","145758359013843892094323650264816439536","146568844518295903358171220962715526296","100189723878785440286888706617474346563","13612701684775307580855339555651709808","240829047116300486648755817216845020777","60204319424319403462102344172188409925","314544719548737105722429699138229760208","241327396224147184342021901392948368499","335852674422753087265164620957374358718","26335083925443849779621893096654678739","222388643095609097294153030655251506207","72256463038192090355705336773032036966","333787151556875598494232174093750351044","11796622162608854932778595896630151943","71642851961309616532336082267369534582","40360174527547759094632722800775133193","67993564479591006703254442391389884549","8040200327143163779191891742686612501","174217793581694441916715395144817924756","130425525895389190935122060103547002872","176463436353037185277978760478444024724","4946970387264401166879121739183814448","337814012389478864724653634159530308832","302132662367175435640806294400243506968","118202676946218195074588302645775757034","19780990504146033628613737630485713701","107920678542015959232393155191696656435","284606913881837033517978689441770992048","280204619180712041144188720365607353576","77094064914082747639125973703997581925","328953728569243587075024454860353401824","280189236361070988999615266135281436446","198864860680241816763531624595049145425","153983431420202133070855944620544254401","244833767520454356417727711729537923229","118059670372984259137393878444625793997","322645340631779704555899144295898607792","219778759649539317593645344556487929474","194612855295853464578886586585273427699","255436124204698346727047876118201352504","234666495329605038442319736720801856764","282694782750730509879972304879515215301","168760491080713495648437065310030605331","192850207882311432880500309698176401309","83672855130832385057896854909822386165","339443498740023133737058455408543505721","13477604704246182406179323803034418431","78795430653933475995619413202652668291","69930284464506175762900547182719217793","75665948159542068158994798345603187560","193845295023579838034624484587615452920","182655136500491783855672544381388379865","314426208330174106931059917798603367637","133380619457795446720893816143032191797","72568004430707422242404864691588545613","108267388975630392415343929405952157210","313029893569590897280069961386453474509","70540851705930207507879632092055814356","246869236777710175817747832134771451230","284794636557381164295170077294254654310","255558791829453380556623661864639622788","142045591035723194405713476960393010449","300629671568688072856732396665281354983","318780275197297560467554393097014762827","323520511476755397254834265488449728929","26610277536288162581987850347971771736","239470364804378576499571360588723766690","106305389928924297809668394332158092881","326171331865818788813917384471638141810","171069833624149326938441948059534759724","27595993875120972291914533642053649778","321600983831896987602832543806422040033","334278094073757907798464669414932369296","43681832387792339515329343437392990667","154650031971097101228078602739471147553","232645043072247376701159760108301242270","260355386789791424162143394825617420445","281553745372797835015077965348931014062","4532652347798649040976969747845198679","265680879920079013758910259828695406553","69644678121110803072357721140947305787","294430677239432775716535998651168222734","73343056750144174349708896857478455127","24519775393530128498517989264223496156","183541621178953177434351910652130498545","5459885054063219556802518350387127257","27949573853437626325011030699337809272","15823761006995189099506663227289855054","305439926072478556134694247193578946625","255849279968067542079453534464444847652","189767112738100178214368276193611407487","180032464335441666543080269571476839338","164515281978761699666027453851564258919","252285582562166630634296109184409560673","146096223296558397050919389344476334349","312093955210014257290828079688210914510","140635404047463825521418462807240593017","96159222927892200001117391527337510924","45137628309228649432615195057708034062","83293834302523927132408381097866382671","337346250630276694539790703757661083352","110682567151722265823151295610880543250","184819948907912803374610719041572171568","25810901204222702492987538087710597645","128222948199917750193655840617332943800","209265962667703328364331410055448956814","19826496574867726444565989313499411631","224767385093763293286605569533043380860","332736066277169812601268652056085861257","15128860481069825827788113300023759162","224564439553628526041010557752746349563","97704007064297803332530992563379378395","143629269154252266322766470398150692353","27781231757622490736938566156095691076","268821927287045249380764753570696239251","288435713833379841553916352044192046150","47198626178894151389781654885809975374","281951333145648200742073959145302920500","153855451295590849648444598523463687936","277819771944640976579759854050433060889","164862617534096848191652313688381386233","310879990802145633872661257092941439669","130124140794724058600587953383822469336","104415919087073469536245958584093174892","226022277292308142593134178411211224212","37437773657212635021909297890054926696","323574709463087537460116314244634675255","113169129463186877754173723213148439640","47813995540480821729930229075499230803","39738259065564756844789107236888956436","137247414319968390038906088328954359984","49765857873880911128265127426323298098","190489919506281692566786864116419567474","172610430134124101240311175429782704363","228749625788053675838545460552841124212","40208354072547096398974261739528771075","208652930302641923704019001346573256287","145478770635603037370600351677580664226","240678110393063701638019422991248310576"],"threshold":0.9},"target":{"file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-a8930813","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":515,"function_hash":"72868226864665399202691268455065204431"},"target":{"function":"hashClasspathEntry","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-b501a1d3","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":119,"function_hash":"253371680203947640925278665584428968916"},"target":{"function":"isScriptApproved","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-b576c1df","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":789,"function_hash":"96633588711598299111071703681846902890"},"target":{"function":"configuring","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-b8f516ad","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":163,"function_hash":"44915992432643946629667570677569617985"},"target":{"function":"preapprove","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-c925d767","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":62,"function_hash":"78767049964118590900681436501069124651"},"target":{"function":"getHash","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-ca77a782","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":350,"function_hash":"45344397439606831352327269539930235055"},"target":{"function":"smokeTestEntry","file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/JcascTest.java"},"id":"CVE-2022-45379-e3138b95","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":223,"function_hash":"54326643943990611982358434672404297070"},"target":{"function":"Entry","file":"src/test/java/org/jenkinsci/plugins/scriptsecurity/scripts/EntryApprovalTest.java"},"id":"CVE-2022-45379-e78406c7","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":983,"function_hash":"173286560121858652328572534068249329513"},"target":{"function":"checking","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-f3f8d2f7","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"},{"signature_type":"Function","digest":{"length":304,"function_hash":"225045422999835045371486515074668540893"},"target":{"function":"using","file":"src/main/java/org/jenkinsci/plugins/scriptsecurity/scripts/ScriptApproval.java"},"id":"CVE-2022-45379-f78f43af","deprecated":false,"signature_version":"v1","source":"https://github.com/jenkinsci/script-security-plugin/commit/65867aa471265a16198b92fb439782ba3554da66"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}