ghsa-qmhq-876f-cr65
Vulnerability from github
Published
2023-11-29 15:30
Modified
2023-11-29 21:32
Severity
Summary
Jenkins Jira Plugin vulnerable to exposure of system-scoped credentials
Details
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration.
This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.
Jira Plugin 3.12 defines the appropriate context for credentials lookup.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:jira"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49653"
],
"database_specific": {
"cwe_ids": [
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2023-11-29T21:32:10Z",
"nvd_published_at": "2023-11-29T14:15:07Z",
"severity": "MODERATE"
},
"details": "Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration.\n\nThis allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.\n\nJira Plugin 3.12 defines the appropriate context for credentials lookup.",
"id": "GHSA-qmhq-876f-cr65",
"modified": "2023-11-29T21:32:10Z",
"published": "2023-11-29T15:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49653"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3225"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/11/29/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Jira Plugin vulnerable to exposure of system-scoped credentials"
}
Loading...