CVE-2023-41930

2023-09-0613:15:09

CWE-22

[email protected]

web.nvd.nist.gov

cve-2023-41930

jenkins

job config history

plugin

security

vulnerability

nvd

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

16.4%

JSON

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict the ‘name’ query parameter when rendering a history entry, allowing attackers to have Jenkins render a manipulated configuration history that was not created by the plugin.

Affected configurations

NVD

Node

jenkinsjob_configuration_historyRange≤1227.v7a_79fc4dc01fjenkins

CPENameOperatorVersion
jenkins:job_configuration_historyjenkins job configuration historyle1227.v7a_79fc4dc01f

CPE	Name	Operator	Version
jenkins:job_configuration_history	jenkins job configuration history	le	1227.v7a_79fc4dc01f

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Jenkins Job Configuration History Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "1227.v7a_79fc4dc01f",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]