Code Execution Flaw in Jenkins Email Extension Plugin
CVE-2023-25765

9.9CRITICAL

Key Information:

Vendor
Jenkins
Status
Jenkins Email Extension Plugin
Vendor
CVE Published:
15 February 2023

Summary

The Jenkins Email Extension Plugin prior to version 2.94 contains a vulnerability where templates created within a folder bypass Script Security controls. This allows malicious users who have access to define email templates to execute arbitrary code within the Jenkins server's JVM environment. This loophole poses significant security risks, enabling potential attackers to manipulate system operations or gain unauthorized access.

Affected Version(s)

Jenkins Email Extension Plugin <= 2.93

Jenkins Email Extension Plugin 2.89.0.1

References

https://www.jenkins.io/security/advisory/2023-02-15/#SECU...
http://www.openwall.com/lists/oss-security/2023/02/15/4
mailing-list

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.