CVE-2023-24433: Missing permission checks in Jenkins Orka Plugin allow capturing credentials

January 26, 2023 (updated January 27, 2023)

Missing permission checks in Jenkins Orka by MacStadium Plugin 1.31 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

References

github.com/advisories/GHSA-gmhf-37fx-c4q8
nvd.nist.gov/vuln/detail/CVE-2023-24433
www.jenkins.io/security/advisory/2023-01-24/

Detect and mitigate CVE-2023-24433 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →