Missing Permission Check in Jenkins Orka by MacStadium Plugin Affects Security
CVE-2023-37949

7.1HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Orka By Macstadium Plugin
Vendor: CVE Published:; 12 July 2023

What is CVE-2023-37949?

A vulnerability has been identified in the Jenkins Orka by MacStadium Plugin, where a missing permission check allows users with Overall/Read permission to connect to arbitrary URLs with credentials specified by the attacker. This flaw can lead to the unauthorized disclosure of sensitive credentials stored in Jenkins, potentially compromising the security of the entire Jenkins environment. It is essential for users of the affected versions to assess their risk and apply necessary security measures.

Affected Version(s)

Jenkins Orka by MacStadium Plugin 0 <= 1.33

References

https://www.jenkins.io/security/advisory/2023-07-12/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/07/12/2

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jul 11, 2023