CVE-2023-37965

Name of the Vulnerable Software and Affected Versions Jenkins ElasticBox CI Plugin versions 5.0.1 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The plugin does not perform permission checks in several HTTP endpoints, which also results in a cross-site request forgery (CSRF) vulnerability, as these endpoints do not require POST requests.

Recommendations For Jenkins ElasticBox CI Plugin versions 5.0.1 and earlier, consider disabling the plugin until a patch is available to prevent attackers from exploiting the missing permission check and CSRF vulnerability. Restrict access to the affected HTTP endpoints to minimize the risk of exploitation. Avoid using the plugin with Overall/Read permission to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.