OpenId Connect Authentication Plugin Vulnerability in Jenkins
CVE-2023-50770

6.7MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Openid Connect Authentication Plugin
Vendor: CVE Published:; 13 December 2023

What is CVE-2023-50770?

The Jenkins OpenId Connect Authentication Plugin prior to version 2.6 contains a vulnerability where the password for a local user account is stored in a recoverable format. This design flaw permits attackers with access to the Jenkins controller file system to extract the plain text password easily. Consequently, such attackers could potentially gain unauthorized administrator access to the Jenkins instance, compromising the integrity and security of the environment.

Affected Version(s)

Jenkins OpenId Connect Authentication Plugin 0 <= 2.6

References

https://www.jenkins.io/security/advisory/2023-12-13/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/12/13/4

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2023
Vulnerability Reserved
Dec 13, 2023