GHSA-qf42-f5vf-6w99

Source

https://github.com/advisories/GHSA-qf42-f5vf-6w99

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-qf42-f5vf-6w99/GHSA-qf42-f5vf-6w99.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qf42-f5vf-6w99

Aliases

CVE-2023-41945

Published

2023-09-06T15:30:26Z

Modified

2024-02-16T08:09:20.897566Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Disabled permissions granted by Jenkins Assembla Auth Plugin

Details

Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.

Database specific

{
    "nvd_published_at": "2023-09-06T13:15:11Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T23:01:31Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:assembla-auth

Package

Name: org.jenkins-ci.plugins:assembla-auth; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/assembla-auth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.14

Affected versions

1.*

1.01

1.02

1.03

1.06

1.09

1.11

1.13

1.14