CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2023-49654

CVSS 9.8v3.1pub. 2023-11-29upd. 2024-11-21

Missing permission checks in Jenkins MATLAB Plugin 2.11.0 and earlier allow attackers to have Jenkins parse an XML file from the Jenkins controller file system.

🤖 AI Analysis
How it works

The MATLAB plugin for Jenkins does not perform required permission checks before processing an XML file specified by a request. An attacker can send a crafted request to the plugin endpoint, specifying the path to any XML file on the Jenkins controller. Jenkins then parses the specified file, which may expose its contents or trigger additional effects resulting from external XML entity (XXE) processing. The vulnerability is classified as CWE-862 — missing authorization check.

Impact

An unauthenticated attacker can gain access to sensitive XML files stored on the Jenkins controller server, potentially exposing configuration data, credentials, or other sensitive information. Depending on the content of the processed files, further expansion of the attack scope in the CI/CD environment is possible.

Mitigation & patch

Update Jenkins MATLAB Plugin to a version higher than 2.11.0, which includes the required permission checks. Details of the fix are available in the official Jenkins security bulletin at: https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-3193

Who is affected

Jenkins MATLAB Plugin in version 2.11.0 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jenkins Matlab

    APP
    Jenkins
    < 2.11.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
CI/CD
CWE
References

Related vulnerabilities

CVE-2023-49656CRITICAL9.8PL ✓ten sam produkt

XXE w Jenkins MATLAB Plugin — pełny dostęp bez uwierzytelnienia

CVE-2023-49655HIGH8.8ten sam produkt

A cross-site request forgery (CSRF) vulnerability in Jenkins MATLAB Plugin 2.11.0 and earlier allows attackers...

CVE-2023-49673HIGH8.8ten sam produkt

A cross-site request forgery (CSRF) vulnerability in Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and e...

CVE-2024-23897CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Jenkins CLI – odczyt dowolnych plików przez path traversal bez uwierzytelnienia

CVE-2019-1003029CRITICAL9.9⚠ KEVten sam vendor

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/...