CVE-2023-37949

CWE-862 — Missing Authorization5 documents5 sources

Severity

7.1HIGH

EPSS

0.1%

top 69.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Orka BY Macstadium Jenkins Project Jenkins Orka BY Macstadium Plugin

Timeline

PublishedJul 12

Description

A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

▶Mavenio.jenkins.plugins:macstadium-orka< 1.34

▶CVEListV5jenkins_project/jenkins_orka_by_macstadium_plugin1.33

▶NVDjenkins/orka_by_macstadium< 1.34

🔴Vulnerability Details

OSV

Jenkins Orka by MacStadium Plugin missing permission check↗2023-07-12

▶

CVEList

CVE-2023-37949: A missing permission check in Jenkins Orka by MacStadium Plugin 1↗2023-07-12

▶

GHSA

Jenkins Orka by MacStadium Plugin missing permission check↗2023-07-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2023-07-12↗2023-07-12

▶