Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4c3q-r84r-q6pp: Jenkins mabl Plugin vulnerable to exposure of system-scooped credentials

Jenkins mabl Plugin 0.0.46 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration.

This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.

mabl Plugin 0.0.47 defines the appropriate context for credentials lookup.

ghsa
#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-37951

Jenkins mabl Plugin vulnerable to exposure of system-scooped credentials

Moderate severity GitHub Reviewed Published Jul 12, 2023 to the GitHub Advisory Database • Updated Jul 12, 2023

Package

maven com.mabl.integration.jenkins:mabl-integration (Maven)

Affected versions

< 0.0.47

Published to the GitHub Advisory Database

Jul 12, 2023

Last updated

Jul 12, 2023

Related news

CVE-2023-37965: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins ElasticBox CI Plugin 5.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-37949: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins Orka by MacStadium Plugin 1.33 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-37957: Jenkins Security Advisory 2023-07-12

A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline restFul API Plugin 0.11 and earlier allows attackers to connect to an attacker-specified URL, capturing a newly generated JCLI token.

CVE-2023-37960: Jenkins Security Advisory 2023-07-12

Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file systems.

CVE-2023-37959: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins Sumologic Publisher Plugin 2.2.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

CVE-2023-37948: Jenkins Security Advisory 2023-07-12

Jenkins Oracle Cloud Infrastructure Compute Plugin 1.0.16 and earlier does not validate SSH host keys when connecting OCI clouds, enabling man-in-the-middle attacks.

CVE-2023-37956: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

CVE-2023-37953: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins mabl Plugin 0.0.46 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CVE-2023-37954: Jenkins Security Advisory 2023-07-12

A cross-site request forgery (CSRF) vulnerability in Jenkins Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier allows attackers to rebuild a previous build.

CVE-2023-37942: Jenkins Security Advisory 2023-07-12

Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2023-37945: Jenkins Security Advisory 2023-07-12

A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 through 2.3.0 (both inclusive) allows attackers with Overall/Read permission to download a string representation of the current security realm.