PT-2023-31648 · Jenkins · Jenkins Paaslane Estimate Plugin+1

Published

2023-12-13

Updated

2023-12-18

CVE-2023-50779

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins PaaSLane Estimate Plugin versions 1.0.4 and earlier

Description The issue is related to missing permission checks in the plugin, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token. This affects several HTTP endpoints.

Recommendations For versions 1.0.4 and earlier, consider disabling the plugin until a patch is available to prevent attackers from exploiting the missing permission checks. Restrict access to the affected HTTP endpoints to minimize the risk of exploitation. Avoid using the plugin with Overall/Read permission until the issue is resolved.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2023-50779

GHSA-JQR2-7F24-XRGC

Affected Products

Jenkins

Jenkins Paaslane Estimate Plugin

PT-2023-31648 · Jenkins · Jenkins Paaslane Estimate Plugin+1

CVE-2023-50779

Weakness Enumeration

Related Identifiers

Affected Products

References · 8