CVE-2023-35147: Incorrect Permission Assignment for Critical Resource

June 14, 2023 (updated January 30, 2024)

Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

References

www.openwall.com/lists/oss-security/2023/06/14/5
github.com/advisories/GHSA-whgj-6m78-2gg9
nvd.nist.gov/vuln/detail/CVE-2023-35147
www.jenkins.io/security/advisory/2023-06-14/

Detect and mitigate CVE-2023-35147 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →