Missing permission checks in Fortify Plugin allow capturing credentials
CVE-2023-4302
4.2MEDIUM
Summary
A missing permission check in Jenkins Fortify Plugin 22.1.38 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Affected Version(s)
Jenkins Fortify Plugin <= 22.1.38
CVSS V3.1
Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Risk change from: 4.3 to: 4.2 - (MEDIUM)
Vulnerability published.
Vulnerability Reserved.
Collectors
NVD DatabaseMitre Database
Credit
Alvaro Muñoz (@pwntester), GitHub Security Lab
Kevin Guerroudj, CloudBees, Inc.