PT-2023-25166 · Jenkins · Jenkins Aws Codecommit Trigger Plugin+1

Atorralba

Publicado

2023-06-14

Atualizado

2024-12-31

CVE-2023-35147

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins AWS CodeCommit Trigger Plugin versions 3.0.12 and earlier

Description The issue allows attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system due to the lack of restriction on the AWS SQS queue name path parameter in an HTTP endpoint.

Recommendations For Jenkins AWS CodeCommit Trigger Plugin versions 3.0.12 and earlier, consider restricting access to the HTTP endpoint until a patch is available. As a temporary workaround, restrict the Item/Read permission to minimize the risk of exploitation.

Correção

Incorrect Permission

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-732

Identificadores relacionados

CVE-2023-35147

GHSA-WHGJ-6M78-2GG9

Produtos afetados

Jenkins

Jenkins Aws Codecommit Trigger Plugin

PT-2023-25166 · Jenkins · Jenkins Aws Codecommit Trigger Plugin+1

CVE-2023-35147

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7