Lucene search

GitHub Advisory DatabaseGHSA-W3P4-7823-M33Q

HistoryJul 12, 2023 - 6:30 p.m.

Jenkins Datadog Plugin does not perform a permission check in an HTTP endpoint.

2023-07-1218:30:38

CWE-862

GitHub Advisory Database

github.com

jenkins

datadog

plugin

vulnerability

permission

http

endpoint

security

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.0%

JSON

Jenkins Datadog Plugin 5.4.1 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Datadog Plugin 5.4.2 requires Overall/Administer permission to access the affected HTTP endpoint.

Affected configurations

Vulners

Node

org.datadog.jenkins.pluginsdatadogRange<5.4.2

VendorProductVersionCPE
org.datadog.jenkins.pluginsdatadog*cpe:2.3:a:org.datadog.jenkins.plugins:datadog:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.datadog.jenkins.plugins	datadog	*	cpe:2.3:a:org.datadog.jenkins.plugins:datadog::::::::

References

www.openwall.com/lists/oss-security/2023/07/12/2

github.com/advisories/GHSA-w3p4-7823-m33q

nvd.nist.gov/vuln/detail/CVE-2023-37944

www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3130

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.0%

JSON

Related for GHSA-W3P4-7823-M33Q