Base Score

LOW2.7

CVE-2023-49652

Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateNov 29, 2023, 14:15

Affected Versions(2)

org.jenkins-ci.plugins:google-compute-engine(Maven)

Introduced0

Fixed4.3.17.1

LimitN/A

org.jenkins-ci.plugins:google-compute-engine(Maven)

Introduced4.5

Fixed4.551.v5a

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.plugins:google-compute-engine(Maven)	0	4.3.17.1	N/A
org.jenkins-ci.plugins:google-compute-engine(Maven)	4.5	4.551.v5a	N/A

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

2.7

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

LOW2.7

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

2.7

Vector String

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Base Severity

LOW

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

NONE

Availability (A)

NONE