CVE-2023-50767

2023-12-1318:15:43

Google

osv.dev

jenkins

nexus platform plugin

permission checks

http requests

xml response

security vulnerability

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

13.4%

JSON

Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

CPENameOperatorVersion
nexus-platform-plugineqrelease-1.1.0-05
nexus-platform-plugineqrelease-3.18.0-02
nexus-platform-plugineq3.16.476.v410d6968f400
nexus-platform-plugineq3.16.478.v41ee37380162
nexus-platform-plugineq3.16.510.v4d23e22cf563
nexus-platform-plugineqnexus-jenkins-plugin-3.11.20210716-075132.3b66565
nexus-platform-plugineqrelease-3.18.0-03
nexus-platform-plugineq3.14.431.v37ca_dc788b_b_1
nexus-platform-plugineq3.14.412.v8021dc9cc4ef
nexus-platform-plugineqrelease-1.0.0-02

Name	Operator	Version
nexus-platform-plugin	eq	release-1.1.0-05
nexus-platform-plugin	eq	release-3.18.0-02
nexus-platform-plugin	eq	3.16.476.v410d6968f400
nexus-platform-plugin	eq	3.16.478.v41ee37380162
nexus-platform-plugin	eq	3.16.510.v4d23e22cf563
nexus-platform-plugin	eq	nexus-jenkins-plugin-3.11.20210716-075132.3b66565
nexus-platform-plugin	eq	release-3.18.0-03
nexus-platform-plugin	eq	3.14.431.v37ca_dc788b_b_1
nexus-platform-plugin	eq	3.14.412.v8021dc9cc4ef
nexus-platform-plugin	eq	release-1.0.0-02