Lucene search

Veracode Vulnerability DatabaseVERACODE:41417

HistoryJul 20, 2023 - 9:57 a.m.

Missing Permission Check

2023-07-2009:57:19

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

jenkins

plugin

elasticbox

vulnerability

unauthorized access

http endpoints

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

0.001 Low

EPSS

Percentile

21.0%

JSON

org.jenkins-ci.plugins:elasticbox is vulnerable to Missing Permission Checks. The vulnerability exists because the library does not perform permission checks in several HTTP endpoints, which allows an attacker to connect to URLs with credentials obtained through a deferent method, resulting in stored credential capturing in Jenkins.

CPENameOperatorVersion
elasticbox ci plug-inle4.0.8
elasticbox ci plug-inle4.0.8

CPE	Name	Operator	Version
	elasticbox ci plug-in	le	4.0.8
	elasticbox ci plug-in	le	4.0.8

References

www.openwall.com/lists/oss-security/2023/07/12/2

github.com/advisories/GHSA-gg44-xm5p-x9cm

www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3131

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

0.001 Low

EPSS

Percentile

21.0%

JSON

Related for VERACODE:41417