CVE-2023-32979

2023-05-1616:15:10

Google

osv.dev

jenkins

email extension plugin

permission vulnerability

form validation

file existence

controller file system

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.8 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.

CPENameOperatorVersion
email-ext-plugineqemail-ext-2.40.3
email-ext-plugineqemail-ext-2.22
email-ext-plugineqemail-ext-2.96
email-ext-plugineqemail-ext-2.37.1
email-ext-plugineqemail-ext-2.71
email-ext-plugineqemail-ext-2.25
email-ext-plugineqemail-ext-2.84
email-ext-plugineqemail-ext-2.18
email-ext-plugineqemail-ext-2.28
email-ext-plugineqemail-ext-2.65

Name	Operator	Version
email-ext-plugin	eq	email-ext-2.40.3
email-ext-plugin	eq	email-ext-2.22
email-ext-plugin	eq	email-ext-2.96
email-ext-plugin	eq	email-ext-2.37.1
email-ext-plugin	eq	email-ext-2.71
email-ext-plugin	eq	email-ext-2.25
email-ext-plugin	eq	email-ext-2.84
email-ext-plugin	eq	email-ext-2.18
email-ext-plugin	eq	email-ext-2.28
email-ext-plugin	eq	email-ext-2.65