Missing Permission Check in Jenkins GitHub Pull Request Builder Plugin
CVE-2023-24435
6.5MEDIUM
Key Information:
- Vendor
- Jenkins
- Vendor
- CVE Published:
- 26 January 2023
Summary
A missing permission check in Jenkins' GitHub Pull Request Builder Plugin allows users with Overall/Read permissions to connect to unauthorized URLs. This vulnerability can be exploited by attackers to gain access to compromised credentials by using credential IDs that they obtain through various means, exposing sensitive data stored within Jenkins.
Affected Version(s)
Jenkins GitHub Pull Request Builder Plugin <= 1.42.2
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved