CVE-2023-28668: Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled

April 2, 2023 (updated February 25, 2025)

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

A permission is granted to attackers directly or through groups.

The permission is disabled, e.g., through the script console.

Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162 does not grant disabled permissions.

References

Detect and mitigate CVE-2023-28668 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →