CVE-2023-46651
MEDIUM4.3EPSS 0.06%Jenkins Warnings Plugin exposures system-scoped credentials
發布日:2023/10/25修改日:2024/2/16
描述
Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to. Warnings Plugin 10.5.1 defines the appropriate context for credentials lookup. This fix has been backported to 10.4.1.
受影響套件(1)
- Maven/io.jenkins.plugins:warnings-ng>= 10.5.0, < 10.5.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-46651
- PATCHhttps://github.com/jenkinsci/warnings-ng-plugin
- WEBhttps://github.com/jenkinsci/warnings-ng-plugin/commit/17d18d2fae58f5658a40d03a03f927819eb6cf1a
- WEBhttps://github.com/jenkinsci/warnings-ng-plugin/commit/372cd40ce73b25d8ae632b262f6ae1cd36ad9e4c
- WEBhttps://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3265
- WEBhttp://www.openwall.com/lists/oss-security/2023/10/25/2