PT-2023-21889 · Jenkins · Jenkins Role-Based Authorization Strategy Plugin+1
Daniel Beck
+1
·
Published
2023-03-23
·
Updated
2025-02-25
·
CVE-2023-28668
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Role-based Authorization Strategy Plugin versions 587.v2872c41fa e51 and earlier
Description
The issue allows attackers to have greater access than they are entitled to after a permission is granted and then disabled. This occurs because the plugin grants permissions even after they have been disabled, which can happen when a permission is granted directly or through groups and then disabled, for example, through the script console.
Recommendations
For versions 587.v2872c41fa e51 and earlier, consider updating to a version that does not grant disabled permissions, such as 587.588.v850a 20a 30162, to prevent attackers from gaining greater access than intended.
Fix
Improper Preservation of Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Role-Based Authorization Strategy Plugin