CVE-2023-41945 – org.jenkins-ci.plugins:assembla-auth

Package

Manager: maven
Name: org.jenkins-ci.plugins:assembla-auth
Vulnerable Version: >=0 <=1.14

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00044 pctl0.12624

Details

Disabled permissions granted by Jenkins Assembla Auth Plugin Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.

Metadata

Created: 2023-09-06T15:30:26Z
Modified: 2024-01-30T23:01:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-qf42-f5vf-6w99/GHSA-qf42-f5vf-6w99.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-qf42-f5vf-6w99
Finding: F039
Auto approve: 1