CVE-2023-24449

2023-01-2621:18:18

CWE-22

[email protected]

web.nvd.nist.gov

cve-2023-24449

jenkins

pwauth

security realm plugin

file path restriction

form validation

nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.5%

JSON

Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Affected configurations

NVD

Node

jenkinspwauth_security_realmRange≤0.4jenkins

CPENameOperatorVersion
jenkins:pwauth_security_realmjenkins pwauth security realmle0.4

CPE	Name	Operator	Version
jenkins:pwauth_security_realm	jenkins pwauth security realm	le	0.4

CNA Affected

[
  {
    "product": "Jenkins PWauth Security Realm Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "0.4",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 0.4",
        "versionType": "custom"
      }
    ]
  }
]