Permission Check Flaw in Jenkins ElasticBox CI Plugin
CVE-2023-37965

7.1HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Elasticbox Ci Plugin
Vendor: CVE Published:; 12 July 2023

Summary

A flaw in the Jenkins ElasticBox CI Plugin versions 5.0.1 and earlier exposes the system to potential breaches. The vulnerability arises from a missing permission check that grants attackers with Overall/Read permission the capability to connect to arbitrary URLs. They can exploit this by utilizing credentials IDs acquired via other means, thereby capturing sensitive information stored within the Jenkins environment.

Affected Version(s)

Jenkins ElasticBox CI Plugin 0 <= 5.0.1

References

https://www.jenkins.io/security/advisory/2023-07-12/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/07/12/2

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jul 11, 2023