CVE-2023-24433

2023-01-2621:18:17

CWE-862

jenkins

web.nvd.nist.gov

cve

2023

24433

jenkins

orka

macstadium

plugin

security

vulnerability

nvd

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

29.1%

JSON

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Affected configurations

Nvd

Node

jenkinsorka_by_macstadiumRange<1.32jenkins

VendorProductVersionCPE
jenkinsorka_by_macstadium*cpe:2.3:a:jenkins:orka_by_macstadium:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	orka_by_macstadium	*	cpe:2.3:a:jenkins:orka_by_macstadium::::::jenkins::*

CNA Affected

[
  {
    "product": "Jenkins Orka by MacStadium Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "1.31",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]