Vulnerabilities > CVE-2023-41945 - Missing Authorization vulnerability in Jenkins Assembla Auth

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

jenkins

CWE-862

NVD

Published: 2023-09-06

Updated: 2023-09-11

Summary

Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.

Vulnerable Configurations

Part	Description	Count
Application	Jenkins Jenkins Assembla Auth - Jenkins Assembla Auth 1.01 Jenkins Assembla Auth 1.02 Jenkins Assembla Auth 1.03 Jenkins Assembla Auth 1.06 Jenkins Assembla Auth 1.09 Jenkins Assembla Auth 1.11 Jenkins Assembla Auth 1.13 Jenkins Assembla Auth 1.14	9

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3065
http://www.openwall.com/lists/oss-security/2023/09/06/9