Unauthorized Credential Enumeration in Jenkins GitHub Pull Request Builder Plugin
CVE-2023-24436

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins GitHub Pull Request Builder Plugin
Vendor: CVE Published:; 26 January 2023

Summary

The Jenkins GitHub Pull Request Builder Plugin suffers from a security flaw that allows users with Overall/Read permissions to access and enumerate the IDs of stored credentials in Jenkins. This missing permission verification creates an avenue for attackers to exploit sensitive information, posing a significant risk to user security and data integrity. Keeping the plugin updated and reviewing user permissions are crucial steps to mitigate this vulnerability.

Affected Version(s)

Jenkins GitHub Pull Request Builder Plugin <= 1.42.2

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECU...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 26, 2023
Vulnerability Reserved
Jan 23, 2023