CVE-2023-24429

2023-01-2621:18:17

CWE-611

jenkins

web.nvd.nist.gov

cve-2023-24429

jenkins

semantic versioning plugin

ssrf

security

vulnerability

nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.003

Percentile

66.4%

JSON

Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Affected configurations

Nvd

Node

jenkinssemantic_versioningRange<1.15jenkins

VendorProductVersionCPE
jenkinssemantic_versioning*cpe:2.3:a:jenkins:semantic_versioning:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	semantic_versioning	*	cpe:2.3:a:jenkins:semantic_versioning::::::jenkins::*

CNA Affected

[
  {
    "product": "Jenkins Semantic Versioning Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "1.14",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]