CVE-2023-28668
Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled
Description
Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure). Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they’ve been disabled. This allows attackers to have greater access than they’re entitled to after the following operations took place: A permission is granted to attackers directly or through groups. The permission is disabled, e.g., through the script console. Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162 does not grant disabled permissions.
How to fix CVE-2023-28668
To remediate CVE-2023-28668, upgrade the affected package to a fixed version below.
- —upgrade to 587.588.v850a_20a_30162 or later
Is CVE-2023-28668 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 587.588.v850a_20a_30162
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N |