CVE-2023-50764

2023-12-1318:15:43

jenkins

web.nvd.nist.gov

cve-2023-50764

jenkins

scriptler plugin

http endpoint

security vulnerability

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

AI Score

7.8

Confidence

High

EPSS

0.001

Percentile

15.9%

JSON

Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

Affected configurations

Nvd

Node

jenkinsscriptlerRange≤342.v6a_89fd40f466jenkins

VendorProductVersionCPE
jenkinsscriptler*cpe:2.3:a:jenkins:scriptler:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	scriptler	*	cpe:2.3:a:jenkins:scriptler::::::jenkins::*

CNA Affected

[
  {
    "vendor": "Jenkins Project",
    "product": "Jenkins Scriptler Plugin",
    "versions": [
      {
        "version": "0",
        "versionType": "maven",
        "lessThanOrEqual": "342.v6a_89fd40f466",
        "status": "affected"
      }
    ],
    "defaultStatus": "unaffected"
  }
]