PT-2023-5742 · Jenkins · Jenkins Maven Artifact Choicelistprovider (Nexus) Plugin+1

Alvaro Muñoz

Published

2023-08-16

Updated

2023-08-18

CVE-2023-40347

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin versions 1.14 and earlier

Description The issue is related to insufficient protection of registration data, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This is due to the plugin not setting the appropriate context for credentials lookup. Attackers can exploit this to gain unauthorized access to protected information.

Recommendations For Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin versions 1.14 and earlier, as a temporary workaround, consider restricting access to the plugin until a patch is available. Additionally, limit the use of System-scoped credentials to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Insufficiently Protected Credentials

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-200

Related Identifiers

BDU:2023-06414

CVE-2023-40347

GHSA-97MG-9JHF-R7RM

Affected Products

Jenkins

Jenkins Maven Artifact Choicelistprovider (Nexus) Plugin

CVE-2023-40347

Weakness Enumeration

Related Identifiers

Affected Products

References · 12