Severity
Medium
Analysis Summary
CVE-2023-50764 CVSS:8
Jenkins Scriptler Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by not restrict a file name query parameter in an HTTP endpoint. By sending a specially crafted request, an attacker could exploit this vulnerability to delete arbitrary files on the Jenkins controller file system.
CVE-2023-50765 CVSS:4.3
Jenkins Scriptler Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by not perform a permission check in an HTTP endpoint. By sending a specially crafted request, an attacker could exploit this vulnerability to read the contents of a Groovy script, and use this information to launch further attacks against the affected system.
CVE-2023-50769 CVSS:4.4
Jenkins Scriptler Plugin could allow a remote authenticated attacker to bypass security restrictions, caused by missing permission checks. By sending a specially crafted request, an attacker could exploit this vulnerability to connect to an attacker-specified HTTP server.
Impact
- Security Bypass
- Information Disclosure
Indicators Of Compromise
CVE
- CVE-2023-50764
- CVE-2023-50765
- CVE-2023-50769
Affected Vendors
Jenkins
Affected Products
- Jenkins Scriptler Plugin 342.v6a_89fd40f466
Remediation
Refer to Jenkins Security Advisory for patch, upgrade or suggested workaround information.