critical
9.8
CWE
281
Advisory Published
Advisory Published
Updated

CVE-2023-28668

First published: Thu Mar 23 2023(Updated: )

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure). Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they’ve been disabled. This allows attackers to have greater access than they’re entitled to after the following operations took place: A permission is granted to attackers directly or through groups. The permission is disabled, e.g., through the script console. Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162 does not grant disabled permissions.

Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com

Affected SoftwareAffected VersionHow to fix
Jenkins Role-based Authorization Strategy<=587.v2872c41fa_e51
maven/org.jenkins-ci.plugins:role-strategy<587.588.v850a
587.588.v850a_20a_30162
<=587.v2872c41fa_e51

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668?

    Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668 is a vulnerability that allows permissions to be granted even after they've been disabled.

  • What is the severity of Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668?

    Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668 has a severity rating of 9.8 (Critical).

  • How does Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668 impact users?

    Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668 allows unauthorized users to still have permissions even if they've been disabled.

  • How can I fix Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668?

    To fix Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668, update to version 587.v2872c41fa_e52 or later.

  • Where can I find more information about Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668?

    You can find more information about Jenkins Role-based Authorization Strategy Plugin CVE-2023-28668 on the Jenkins website: [link](https://www.jenkins.io/security/advisory/2023-03-21/#SECURITY-3053)

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203