Lucene search

GitHub Advisory DatabaseGHSA-6J27-3XFW-CJ2W

HistoryJan 26, 2023 - 9:30 p.m.

Missing permissions check in Jenkins JIRA Pipeline Steps Plugin

2023-01-2621:30:18

CWE-862

GitHub Advisory Database

github.com

jenkins

jira

pipeline

permission check

vulnerability

credentials capture

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

27.6%

JSON

A missing permission check in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchjira

CPENameOperatorVersion
org.jenkins-ci.plugins:jira-stepsle2.0.165.v8846cf59f3db

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:jira-steps	le	2.0.165.v8846cf59f3db

References

github.com/advisories/GHSA-6j27-3xfw-cj2w

nvd.nist.gov/vuln/detail/CVE-2023-24438

www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2786

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

27.6%

JSON

Related for GHSA-6J27-3XFW-CJ2W