First published: Wed Feb 15 2023(Updated: )
Missing permission checks in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Credit: disclosure@synopsys.com disclosure@synopsys.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Synopsys Coverity | <3.0.3 | |
maven/org.jenkins-ci.plugins:synopsys-coverity | <=3.0.2 | 3.0.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-23848 is a vulnerability found in Synopsys Jenkins Coverity Plugin 3.0.2 and earlier that allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server and capture credentials stored in Jenkins.
CVE-2023-23848 has a severity level of medium, with a CVSS score of 4.3.
The Synopsys Jenkins Coverity Plugin versions 3.0.2 and earlier are affected by CVE-2023-23848.
An attacker with Overall/Read permission can exploit CVE-2023-23848 by connecting to an attacker-specified HTTP server and capturing credentials stored in Jenkins.
CVE-2023-23848 falls under CWE-276 (Incorrect Default Permissions) and CWE-862 (Missing Authorization).