CVE-2023-37960

Name of the Vulnerable Software and Affected Versions Jenkins MathWorks Polyspace Plugin versions 1.0.5 and earlier

Description The issue allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system. This is due to the lack of restriction on the path of attached files in the Polyspace Notification post-build step.

Recommendations For Jenkins MathWorks Polyspace Plugin versions 1.0.5 and earlier, consider restricting access to the Polyspace Notification post-build step to prevent attackers from sending emails with arbitrary files. As a temporary workaround, restrict the Item/Configure permission to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.