GHSA-whgj-6m78-2gg9

Source

https://github.com/advisories/GHSA-whgj-6m78-2gg9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-whgj-6m78-2gg9/GHSA-whgj-6m78-2gg9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-whgj-6m78-2gg9

Aliases

CVE-2023-35147

Published

2023-06-14T15:30:37Z

Modified

2024-02-16T08:18:46.920083Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Arbitrary file read vulnerability in Jenkins AWS CodeCommit Trigger Plugin

Details

Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

Database specific

{
    "nvd_published_at": "2023-06-14T13:15:12Z",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T23:02:36Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-732"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:aws-codecommit-trigger

Package

Name: org.jenkins-ci.plugins:aws-codecommit-trigger; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/aws-codecommit-trigger

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

3.0.12

Affected versions

1.*

1.0

1.1

1.2

1.3

1.4

1.5-beta

1.5

1.6

1.7

1.8-beta-1

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

2.*

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

3.*

3.0.0-beta-1

3.0.0

3.0.1

3.0.2

3.0.5

3.0.6

3.0.7

3.0.10

3.0.11

3.0.12