CVE-2023-37949

Name of the Vulnerable Software and Affected Versions Jenkins Orka by MacStadium Plugin versions 1.33 and earlier

Description A missing permission check in the Jenkins Orka by MacStadium Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. The issue is related to an HTTP endpoint that does not perform a permission check, enabling attackers to exploit this weakness.

Recommendations For Jenkins Orka by MacStadium Plugin versions 1.33 and earlier, update to version 1.34 or later, which requires Overall/Administer permission to access the affected HTTP endpoint. As a temporary workaround, consider restricting access to the affected HTTP endpoint to minimize the risk of exploitation.