CVE-2023-46651: Jenkins Warnings Plugin exposures system-scoped credentials
(updated )
Jenkins Warnings Plugin 10.5.0 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. This fix has been backported to 10.4.1.
References
- www.openwall.com/lists/oss-security/2023/10/25/2
- github.com/advisories/GHSA-66hv-fhcm-7xm7
- github.com/jenkinsci/warnings-ng-plugin/commit/17d18d2fae58f5658a40d03a03f927819eb6cf1a
- github.com/jenkinsci/warnings-ng-plugin/commit/372cd40ce73b25d8ae632b262f6ae1cd36ad9e4c
- nvd.nist.gov/vuln/detail/CVE-2023-46651
- www.jenkins.io/security/advisory/2023-10-25/
Detect and mitigate CVE-2023-46651 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →