Missing Permission Check in Jenkins Test Results Aggregator Plugin
CVE-2023-37956

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Test Results Aggregator Plugin
Vendor: CVE Published:; 12 July 2023

What is CVE-2023-37956?

A vulnerability in the Jenkins Test Results Aggregator Plugin version 1.2.13 and earlier enables attackers with Overall/Read permission to exploit a missing permission check. This flaw allows them to connect to URLs specified by the attacker while using attacker-controlled credentials, potentially leading to unauthorized access and data exposure. It is crucial for users to update their plugins and review access permissions to mitigate this risk.

Affected Version(s)

Jenkins Test Results Aggregator Plugin 0 <= 1.2.13

References

https://www.jenkins.io/security/advisory/2023-07-12/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/07/12/2

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jul 11, 2023