Jenkins Build Failure Analyzer Plugin Vulnerability Exposes Sensitive Information
CVE-2023-43501

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Build Failure Analyzer Plugin
Vendor: CVE Published:; 20 September 2023

Summary

The Jenkins Build Failure Analyzer Plugin suffers from a critical issue due to a missing permission check, allowing users with Overall/Read permissions to establish connections to arbitrary hostnames and ports. This vulnerability enables attackers to exploit the plugin by using a username and password of their choosing, posing a significant risk of unauthorized access to sensitive data and systems. Users of versions 2.4.1 and earlier are urged to take immediate action to mitigate this vulnerability.

Affected Version(s)

Jenkins Build Failure Analyzer Plugin 0 <= 2.4.1

References

https://www.jenkins.io/security/advisory/2023-09-20/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/20/5

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Sep 19, 2023