PT-2023-6747 · Jenkins · Jenkins Email Extension Plugin+1

Yaroslav Afenkin

Published

2023-02-15

Updated

2025-03-19

CVE-2023-25765

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Email Extension Plugin versions 2.93 and earlier

Description The issue is related to insufficient access control in the Jenkins Email Extension Plugin, allowing attackers who can define email templates in folders to bypass sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. This is due to templates defined inside a folder not being subject to Script Security protection.

Recommendations For Jenkins Email Extension Plugin versions 2.93 and earlier, update to a version that includes the fix for this issue to prevent attackers from executing arbitrary code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Protection Mechanism Failure

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693CWE-284

Related Identifiers

BDU:2023-07534

CVE-2023-25765

GHSA-C9C2-WCXH-3W5J

Affected Products

Jenkins

Jenkins Email Extension Plugin

PT-2023-6747 · Jenkins · Jenkins Email Extension Plugin+1

CVE-2023-25765

Weakness Enumeration

Related Identifiers

Affected Products

References · 13