CVE-2023-49652

low-risk

Published 2023-11-29

Incorrect permission checks in Jenkins Google Compute Engine Plugin 4.550.vb_327fca_3db_11 and earlier allow attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate system-scoped credentials IDs of credentials stored in Jenkins and to connect to Google Cloud Platform using attacker-specified credentials IDs obtained through another method, to obtain information about existing projects. This fix has been backported to 4.3.17.1.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.7/10 Low

NETWORK / LOW complexity

Affected Products (1)

Google Compute Engine

Affected Vendors

Jenkins

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2023/11/29/1

Vendor Advisory https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-2835

Mailing List http://www.openwall.com/lists/oss-security/2023/11/29/1

Vendor Advisory https://www.jenkins.io/security/advisory/2023-11-29/#SECURITY-2835

/ 100

low-risk

Severity 14/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal