CVE-2023-50769

2023-12-1318:15:43

Google

osv.dev

jenkins

nexus platform plugin

permission checks

http server

credentials

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.3%

JSON

Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CPENameOperatorVersion
nexus-platform-plugineqrelease-1.1.0-05
nexus-platform-plugineqrelease-3.18.0-02
nexus-platform-plugineq3.16.476.v410d6968f400
nexus-platform-plugineq3.16.478.v41ee37380162
nexus-platform-plugineq3.16.510.v4d23e22cf563
nexus-platform-plugineqnexus-jenkins-plugin-3.11.20210716-075132.3b66565
nexus-platform-plugineqrelease-3.18.0-03
nexus-platform-plugineq3.14.431.v37ca_dc788b_b_1
nexus-platform-plugineq3.14.412.v8021dc9cc4ef
nexus-platform-plugineqrelease-1.0.0-02

Name	Operator	Version
nexus-platform-plugin	eq	release-1.1.0-05
nexus-platform-plugin	eq	release-3.18.0-02
nexus-platform-plugin	eq	3.16.476.v410d6968f400
nexus-platform-plugin	eq	3.16.478.v41ee37380162
nexus-platform-plugin	eq	3.16.510.v4d23e22cf563
nexus-platform-plugin	eq	nexus-jenkins-plugin-3.11.20210716-075132.3b66565
nexus-platform-plugin	eq	release-3.18.0-03
nexus-platform-plugin	eq	3.14.431.v37ca_dc788b_b_1
nexus-platform-plugin	eq	3.14.412.v8021dc9cc4ef
nexus-platform-plugin	eq	release-1.0.0-02