CVE-2023-37960 – com.mathworks.polyspace.jenkins:mathworks-polyspace

Package

Manager: maven
Name: com.mathworks.polyspace.jenkins:mathworks-polyspace
Vulnerable Version: >=0 <=1.0.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00399 pctl0.59853

Details

Jenkins MathWorks Polyspace Plugin vulnerable to arbitrary file read Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step. This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system.

Metadata

Created: 2023-07-12T18:30:39Z
Modified: 2023-07-12T22:30:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-q6cq-8r4j-6rj5/GHSA-q6cq-8r4j-6rj5.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-q6cq-8r4j-6rj5
Finding: F063
Auto approve: 1