Lucene search

GitHub Advisory DatabaseGHSA-GMHF-37FX-C4Q8

HistoryJan 26, 2023 - 9:30 p.m.

Missing permission checks in Jenkins Orka Plugin allow capturing credentials

2023-01-2621:30:18

CWE-862

GitHub Advisory Database

github.com

jenkins

orka

macstadium

plugin

permission checks

credentials

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

29.1%

JSON

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Affected configurations

Vulners

Node

io.jenkins.pluginsmacstadium-orkaRange<1.32

VendorProductVersionCPE
io.jenkins.pluginsmacstadium-orka*cpe:2.3:a:io.jenkins.plugins:macstadium-orka:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
io.jenkins.plugins	macstadium-orka	*	cpe:2.3:a:io.jenkins.plugins:macstadium-orka::::::::

References

github.com/advisories/GHSA-gmhf-37fx-c4q8

nvd.nist.gov/vuln/detail/CVE-2023-24433

www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2772%20(2)

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

29.1%

JSON

Related for GHSA-GMHF-37FX-C4Q8