Jenkins Matrix Project Plugin Vulnerability Exposes Config Files to Unauthorized Changes
CVE-2024-23900

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Matrix Project Plugin
Vendor: CVE Published:; 24 January 2024

Summary

The Jenkins Matrix Project Plugin prior to version 822.v01b_8c85d16d2 is vulnerable due to improper sanitization of user-defined axis names within multi-configuration projects. Consequently, attackers with Item/Configure permissions can exploit this flaw to create or modify config.xml files on the Jenkins controller file system. This misconfiguration allows potentially malicious content that is not directly controlled by the attackers to be introduced, impacting the integrity of the Jenkins server configurations.

Affected Version(s)

Jenkins Matrix Project Plugin 0 <= 822.v01b_8c85d16d2

References

https://www.jenkins.io/security/advisory/2024-01-24/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/01/24/6

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 24, 2024
Vulnerability Reserved
Jan 23, 2024