Missing permission checks in Fortify Plugin allow capturing credentials

CVE-2023-4302
4.2MEDIUM

Key Information

Vendor
Jenkins
Status
Jenkins Fortify Plugin
Vendor
CVE Published:
21 August 2023

Summary

A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Affected Version(s)

Jenkins Fortify Plugin <= 22.1.38

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Risk change from: 4.3 to: 4.2 - (MEDIUM)

  • Vulnerability published.

  • Vulnerability Reserved.

Collectors

NVD DatabaseMitre Database

Credit

Alvaro Muñoz (@pwntester), GitHub Security Lab
Kevin Guerroudj, CloudBees, Inc.
.