PT-2023-19251 · Synopsys+1 · Synopsys Jenkins Coverity Plugin+1

Daniel Beck

Published

2023-02-15

Updated

2025-03-18

CVE-2023-23850

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Synopsys Jenkins Coverity Plugin versions 3.0.2 and earlier

Description A missing permission check in the Synopsys Jenkins Coverity Plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. This issue affects several HTTP endpoints, which can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Synopsys Jenkins Coverity Plugin versions 3.0.2 and earlier, update to version 3.0.3 or later, which requires appropriate permissions to enumerate credentials IDs. As a temporary workaround, consider restricting access to the affected HTTP endpoints to minimize the risk of exploitation.

Fix

Missing Authorization

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-276

Related Identifiers

CVE-2023-23850

GHSA-JWR6-75XH-JH5J

Affected Products

Jenkins

Synopsys Jenkins Coverity Plugin

PT-2023-19251 · Synopsys+1 · Synopsys Jenkins Coverity Plugin+1

CVE-2023-23850

Weakness Enumeration

Related Identifiers

Affected Products

References · 9