Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-436g-2f92-cvhh

GitHub Security Advisory

Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

A permission is granted to attackers directly or through groups.

The permission is disabled, e.g., through the script console.

Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162 does not grant disabled permissions.

Affected Packages

Maven org.jenkins-ci.plugins:role-strategy
Affected versions: 0 (fixed in 587.588.v850a_20a_30162)

Related CVEs

CVE-2023-28668

Key Information

GHSA ID
GHSA-436g-2f92-cvhh
Published
April 2, 2023 9:30 PM
Last Modified
February 25, 2025 9:42 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.jenkins-ci.plugins:role-strategy
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 3, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.