GHSA-w3p4-7823-m33q

Опубликовано: 12 июл. 2023

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Jenkins Datadog Plugin does not perform a permission check in an HTTP endpoint.

Jenkins Datadog Plugin 5.4.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Datadog Plugin 5.4.2 requires Overall/Administer permission to access the affected HTTP endpoint.

Ссылки

Пакеты

Наименование

org.datadog.jenkins.plugins:datadog

maven

Затронутые версииВерсия исправления

< 5.4.2

5.4.2

EPSS

Процентиль: 27%

0.00099

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-37944

Дефекты

CWE-862

Связанные уязвимости

CVE-2023-37944

CVSS3: 6.5

nvd

больше 2 лет назад

A missing permission check in Jenkins Datadog Plugin 5.4.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

EPSS

Процентиль: 27%

0.00099

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-37944

Дефекты

CWE-862