CVE-2023-49652

CVSS v3.1 2.7 (Low)

EPSS 0.04 % (14^th)

Affected Products 1

Advisories 2

Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1.

Weaknesses

CWE-862: Missing Authorization

CVE Status: PUBLISHED
CNA: Jenkins Project
Published Date: 2023-11-29 14:15:07
(9 months ago)
Updated Date: 2023-12-05 16:06:16
(9 months ago)

Affected Products

Jenkins

Google Compute Engine

Configuration #1

		CPE23	From	Up To
	Jenkins Google Compute Engine for Jenkins prior 4.3.17.1 version	cpe:2.3:a:jenkins:google_compute_engine::::::jenkins		< 4.3.17.1