Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2023-49652

UNKNOWN
Published 2023-11-29T13:45:09.576Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2023-49652. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Jenkins Project

Jenkins Google Compute Engine Plugin

Affected Versions:

4.551.v5a_4dc98f6962 4.3.17.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Jenkins Google Compute Engine Plugin has incorrect permission checks

GHSA-pgpj-83g3-mfr2

Advisory Details

Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier does not correctly perform permission checks in multiple HTTP endpoints. This allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to do the following: - Enumerate system-scoped credentials IDs of credentials stored in Jenkins. Those can be used as part of an attack to capture the credentials using another vulnerability. - Connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. Google Compute Engine Plugin 4.551.v5a_4dc98f6962 requires Overall/Administer permission for the affected HTTP endpoints.

Affected Packages

Maven org.jenkins-ci.plugins:google-compute-engine
ECOSYSTEM: ≥0 <4.3.17.1
Maven org.jenkins-ci.plugins:google-compute-engine
ECOSYSTEM: ≥4.5 <4.551.v5a

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-49652
WEB https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-2835
WEB http://www.openwall.com/lists/oss-security/2023/11/29/1

Advisory provided by GitHub Security Advisory Database. Published: November 29, 2023, Modified: November 29, 2023

References

https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-2835
http://www.openwall.com/lists/oss-security/2023/11/29/1
Published: 2023-11-29T13:45:09.576Z
Last Modified: 2024-08-02T22:01:25.605Z
Copied to clipboard!