CVE-2023-24429: XEE
First published: Tue Jan 24 2023(Updated: )
Jenkins Semantic Versioning Plugin 1.14 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Semantic Versioning | <1.15 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for Jenkins Semantic Versioning Plugin?
The vulnerability ID for Jenkins Semantic Versioning Plugin is CVE-2023-24429.
What is the severity of CVE-2023-24429?
The severity of CVE-2023-24429 is critical with a score of 9.8.
What is affected by CVE-2023-24429?
Jenkins Semantic Versioning Plugin versions 1.14 and earlier are affected by CVE-2023-24429.
What is the CWE ID for CVE-2023-24429?
The CWE ID for CVE-2023-24429 is CWE-611.
How can I fix the vulnerability in Jenkins Semantic Versioning Plugin?
To fix the vulnerability in Jenkins Semantic Versioning Plugin, update to version 1.15 or later.
- collector/nvd-index
- collector/mitre-cve
- collector/nvd-api
- agent/severity
- agent/author
- vendor/jenkins
- canonical/jenkins semantic versioning