PT-2023-18356 · Jenkins · Jenkins Code Dx Plugin+1
Published
2023-05-16
·
Updated
2023-05-25
·
CVE-2023-2196
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Code Dx Plugin versions 3.1.0 and earlier
Description
A missing permission check in the plugin allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system. This issue arises from a method implementing form validation that does not perform a permission check, enabling attackers to exploit this weakness. The estimated number of potentially affected devices worldwide is not specified.
Recommendations
For Jenkins Code Dx Plugin versions 3.1.0 and earlier, update to version 4.0.0 or later, which requires Item/Configure permission for the form validation method and ensures that only files located within the workspace can be checked.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Code Dx Plugin