GHSA-4hm4-94g6-f23f

Опубликовано: 12 июл. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.4

Описание

Jenkins Orka by MacStadium Plugin missing permission check

Jenkins Orka by MacStadium Plugin 1.33 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Orka by MacStadium Plugin 1.34 requires Overall/Administer permission to access the affected HTTP endpoint.

Ссылки

Пакеты

Наименование

io.jenkins.plugins:macstadium-orka

maven

Затронутые версииВерсия исправления

< 1.34

1.34

EPSS

Процентиль: 31%

0.00116

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2023-37949

Дефекты

CWE-862

Связанные уязвимости

CVE-2023-37949

CVSS3: 7.1

nvd

больше 2 лет назад

A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

EPSS

Процентиль: 31%

0.00116

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2023-37949

Дефекты

CWE-862