Lucene search

GitHub Advisory DatabaseGHSA-PX39-5H8C-J3C8

HistoryJul 19, 2023 - 6:30 p.m.

Exposure of system-scoped credentials in Jenkins Dimensions Plugin

2023-07-1918:30:56

GitHub Advisory Database

github.com

jenkins

dimensions plugin

system-scoped credentials

global configuration

attackers

item/configure permission

credentials lookup

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.1%

JSON

Dimensions Plugin 0.9.3 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

Dimensions Plugin 0.9.3.1 defines the appropriate context for credentials lookup.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchdimensionsscm

CPENameOperatorVersion
org.jenkins-ci.plugins:dimensionsscmle0.9.3

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:dimensionsscm	le	0.9.3

References

github.com/advisories/GHSA-px39-5h8c-j3c8

nvd.nist.gov/vuln/detail/CVE-2023-32262

plugins.jenkins.io/dimensionsscm/

portal.microfocus.com/s/article/KM000019298

www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3143

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.1%

JSON

Related for GHSA-PX39-5H8C-J3C8