CVE-2023-28668: Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled
(updated )
Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).
Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they’ve been disabled.
This allows attackers to have greater access than they’re entitled to after the following operations took place:
A permission is granted to attackers directly or through groups.
The permission is disabled, e.g., through the script console.
Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162 does not grant disabled permissions.
References
Detect and mitigate CVE-2023-28668 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →