Missing Permission Check in Jenkins Benchmark Evaluator Plugin
CVE-2023-37963

5.4MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Benchmark Evaluator Plugin
Vendor: CVE Published:; 12 July 2023

Summary

The Jenkins Benchmark Evaluator Plugin before version 1.0.1 is susceptible to a missing permission check, allowing users with Overall/Read permissions to interact with user-defined URLs. This flaw enables attackers to probe the Jenkins controller's file system for specific directory structures and file types, specifically targeting '.csv' and '.ycsb' files. Exploitation of this vulnerability could lead to unauthorized information disclosure, posing significant risks to the integrity of the Jenkins environment.

Affected Version(s)

Jenkins Benchmark Evaluator Plugin 0 <= 1.0.1

References

https://www.jenkins.io/security/advisory/2023-07-12/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/07/12/2

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jul 11, 2023