A credential disclosure vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to obtain the plaintext credentials of stored external system integrations such as LDAP, SCP, RADIUS, TACACS+, and SNMP from the web interface.

Palo Alto Networks Security Advisories / CVE-2023-6791

Urgency **REDUCED**

Response Effort **LOW**

Recovery **USER**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **NONE**

Automatable **NO**

User Interaction **NONE**

Product Confidentiality **LOW**

Product Integrity **NONE**

Product Availability **NONE**

Privileges Required **HIGH**

Subsequent Confidentiality **HIGH**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-193370**

Discovered **externally**

**Description**

A credential disclosure vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to obtain the plaintext credentials of stored external system integrations such as LDAP, SCP, RADIUS, TACACS+, and SNMP from the web interface.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

< 11.0.1

\>= 11.0.1

PAN-OS 10.2

< 10.2.4

\>= 10.2.4

PAN-OS 10.1

< 10.1.9

\>= 10.1.9

PAN-OS 10.0

< 10.0.12

\>= 10.0.12

PAN-OS 9.1

< 9.1.16

\>= 9.1.16

PAN-OS 9.0

< 9.0.17

\>= 9.0.17

PAN-OS 8.1

< 8.1.24-h1

\>= 8.1.24-h1

Prisma Access

None

All

**Severity: MEDIUM**

CVSSv4.0 Base Score: 6.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-701: Weakness Introduced During Design

**Solution**

This issue is fixed in PAN-OS 8.1.24-h1, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions.

You should issue new credentials for the impacted external integrations after you upgrade your PAN-OS software to a fixed version to prevent the misuse of previously exposed credentials.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

Palo Alto Networks thanks Kajetan Rostojek for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6791: CVE-2023-6791 PAN-OS: Plaintext Disclosure of External System Integration Credentials

A DOM-Based cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to execute a JavaScript payload in the context of an administrator’s browser when they view a specifically crafted link to the PAN-OS web interface.

Palo Alto Networks Security Advisories / CVE-2023-6790

Urgency **MODERATE**

Response Effort **LOW**

Recovery **AUTOMATIC**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **PRESENT**

Automatable **YES**

User Interaction **ACTIVE**

Product Confidentiality **HIGH**

Product Integrity **HIGH**

Product Availability **HIGH**

Privileges Required **NONE**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-193367**

Discovered **externally**

**Description**

A DOM-Based cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to execute a JavaScript payload in the context of an administrator’s browser when they view a specifically crafted link to the PAN-OS web interface.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

< 11.0.1

\>= 11.0.1

PAN-OS 10.2

< 10.2.4

\>= 10.2.4

PAN-OS 10.1

< 10.1.9

\>= 10.1.9

PAN-OS 10.0

< 10.0.12

\>= 10.0.12

PAN-OS 9.1

< 9.1.16

\>= 9.1.16

PAN-OS 9.0

< 9.0.17

\>= 9.0.17

PAN-OS 8.1

< 8.1.25

\>= 8.1.25

Prisma Access

None

All

**Severity: HIGH**

CVSSv4.0 Base Score: 7.5 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Amber)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

**Solution**

This issue is fixed in PAN-OS 8.1.25, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions.

**Acknowledgments**

Palo Alto Networks thanks Kajetan Rostojek for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6790: CVE-2023-6790 PAN-OS: DOM-Based Cross-Site Scripting (XSS) Vulnerability in the Web Interface

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a malicious authenticated read-write administrator to store a JavaScript payload using the web interface. Then, when viewed by a properly authenticated administrator, the JavaScript payload executes and disguises all associated actions as performed by that unsuspecting authenticated administrator.

Palo Alto Networks Security Advisories / CVE-2023-6789

Urgency **REDUCED**

Response Effort **LOW**

Recovery **AUTOMATIC**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **NONE**

Automatable **NO**

User Interaction **PASSIVE**

Product Confidentiality **LOW**

Product Integrity **LOW**

Product Availability **LOW**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-216216, PAN-193369 and PAN-170882**

Discovered **externally**

**Description**

A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a malicious authenticated read-write administrator to store a JavaScript payload using the web interface. Then, when viewed by a properly authenticated administrator, the JavaScript payload executes and disguises all associated actions as performed by that unsuspecting authenticated administrator.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

< 11.0.2

\>= 11.0.2

PAN-OS 10.2

< 10.2.5

\>= 10.2.5

PAN-OS 10.1

< 10.1.11

\>= 10.1.11

PAN-OS 10.0

All

None

PAN-OS 9.1

< 9.1.17

\>= 9.1.17

PAN-OS 9.0

< 9.0.17-h4

\>= 9.0.17-h4

PAN-OS 8.1

< 8.1.26

\>= 8.1.26

Prisma Access

None

All

**Severity: MEDIUM**

CVSSv4.0 Base Score: 4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

**Solution**

This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

Palo Alto Networks thanks Md Sameull Islam of Beetles Cyber Security LTD, Kajetan Rostojek, and an external reporter for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6789: CVE-2023-6789 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface

An OS command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

Palo Alto Networks Security Advisories / CVE-2023-6795

Urgency **REDUCED**

Response Effort **LOW**

Recovery **AUTOMATIC**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **PRESENT**

Automatable **YES**

User Interaction **NONE**

Product Confidentiality **HIGH**

Product Integrity **LOW**

Product Availability **NONE**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-166315**

Discovered **externally**

**Description**

An OS command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

None

All

PAN-OS 10.2

None

All

PAN-OS 10.1

< 10.1.3

\>= 10.1.3

PAN-OS 10.0

< 10.0.9

\>= 10.0.9

PAN-OS 9.1

< 9.1.12

\>= 9.1.12

PAN-OS 9.0

< 9.0.17

\>= 9.0.17

PAN-OS 8.1

< 8.1.24-h1

\>= 8.1.24-h1

Prisma Access

None

All

**Severity: MEDIUM**

CVSSv4.0 Base Score: 5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-78 OS Command Injection

**Solution**

This issue is fixed in PAN-OS 8.1.24-h1, PAN-OS 9.0.17, PAN-OS 9.1.12, PAN-OS 10.0.9, PAN-OS 10.1.3, and all later PAN-OS versions.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

Palo Alto Networks thanks an external reporter for discovering and reporting this issue.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6795: CVE-2023-6795 PAN-OS: OS Command Injection Vulnerability in the Web Interface

An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

Palo Alto Networks Security Advisories / CVE-2023-6794

Urgency **REDUCED**

Response Effort **LOW**

Recovery **AUTOMATIC**

Value Density **DIFFUSE**

Attack Vector **NETWORK**

Attack Complexity **LOW**

Attack Requirements **PRESENT**

Automatable **NO**

User Interaction **NONE**

Product Confidentiality **HIGH**

Product Integrity **LOW**

Product Availability **NONE**

Privileges Required **HIGH**

Subsequent Confidentiality **NONE**

Subsequent Integrity **NONE**

Subsequent Availability **NONE**

NVD JSON

Published **2023-12-13**

Updated **2023-12-13**

Reference **PAN-139152 and PAN-131835**

Discovered **internally**

**Description**

An arbitrary file upload vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and potentially execute arbitrary code with limited privileges on the firewall.

**Product Status**

Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.1

None

All

PAN-OS 11.0

None

All

PAN-OS 10.2

None

All

PAN-OS 10.1

None

All

PAN-OS 9.1

< 9.1.14

\>= 9.1.14

PAN-OS 9.0

< 9.0.17-h1

\>= 9.0.17-h1

PAN-OS 8.1

< 8.1.26

\>= 8.1.26

Prisma Access

None

All

**Severity: MEDIUM**

CVSSv4.0 Base Score: 5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-434 Unrestricted Upload of File with Dangerous Type

**Solution**

This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h1, PAN-OS 9.1.14, and all later PAN-OS versions.

**Workarounds and Mitigations**

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

**Acknowledgments**

This issue was found by Palo Alto Networks during an internal security review.

**Timeline**

2023-12-13 Initial publication

CVE-2023-6794: CVE-2023-6794 PAN-OS: File Upload Vulnerability in the Web Interface

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.11, the saved search feature can be used to perform a SQL injection. Version 10.0.11 contains a patch for the issue.

Skip to content

Sign in

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    Explore
    
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   For
    
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    By Solution
    
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    Resources
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    Repositories
    
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

**Saved searches****Use saved searches to filter your results more quickly**

Sign in

Sign up

glpi-project / **glpi** Public

*   Notifications
*   Fork 1.2k
*   Star 3.5k
    

*   Code
*   Issues 137
*   Pull requests 62
*   Actions
*   Projects 1
*   Security
*   Insights

Additional navigation options

Moderate

trasher published GHSA-94c3-fw5r-3362

Dec 13, 2023

**Package**

glpi (glpi)

**Affected versions**

\>= 10.0.0

**Patched versions**

10.0.11

**Description**

**Impact**

The saved search feature can be used to perform a SQL injection.

**Patches**

Upgrade to 10.0.11.

**For more information**

If you have any questions or comments about this advisory, mail us at glpi-security@ow2.org.

**Severity**

Moderate

6.5

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CVE ID**

CVE-2023-43813

**Weaknesses**

CWE-89

**Credits**

*    bhopkins0 Reporter

CVE-2023-43813: Authenticated SQL Injection

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   Analysis Model API Plugin
*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   Nexus Platform Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin
*   Scriptler Plugin

**Descriptions****DoS vulnerability in Analysis Model API Plugin**

**SECURITY-3327 / CVE-2023-5072**  
**Severity (CVSS):** Medium  
**Affected plugin: analysis-model-api**  
**Description:**

Analysis Model API Plugin 11.11.0 and earlier bundles versions of JSON-Java vulnerable to CVE-2023-5072.

This may allow attackers able to control input to cause a Denial of Service (DoS) by parsing a crafted JSON document.

As of publication, Synopsys Rapid Scan Static is the only plugin the Jenkins security team is aware of whose report parser is potentially affected.

Analysis Model API Plugin 11.13.0 updates JSON-Java to version 20231013, which is unaffected by this issue.

**Arbitrary file deletion vulnerability in Scriptler Plugin**

**SECURITY-3205 / CVE-2023-50764**  
**Severity (CVSS):** High  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint.

This allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 ensures that the file being deleted is located in the expected directory.

**Missing permission check in Scriptler Plugin**

**SECURITY-3206 / CVE-2023-50765**  
**Severity (CVSS):** Medium  
**Affected plugin: scriptler**  
**Description:**

Scriptler Plugin 342.v6a\_89fd40f466 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

Scriptler Plugin 344.v5a\_ddb\_5f9e685 requires the appropriate permission to read the contents of a Groovy script.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow XXE**

**SECURITY-3204 / CVE-2023-50766 (CSRF), CVE-2023-50767 (missing permission check)**  
**Severity (CVSS):** High  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, so attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Overall/Administer permission are required for the affected HTTP endpoints.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**CSRF vulnerability and missing permission checks in Nexus Platform Plugin allow capturing credentials**

**SECURITY-3203 / CVE-2023-50768 (CSRF), CVE-2023-50769 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: nexus-jenkins-plugin**  
**Description:**

Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 requires POST requests and Overall/Administer permission for the affected form validation methods.

Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues. The fixed version can be downloaded from the Sonatype website.

**Password stored in a recoverable format by OpenId Connect Authentication Plugin**

**SECURITY-3168 / CVE-2023-50770**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin provides an anti-lockout feature, which allows administrators to define a local user account that can be used to recover access to Jenkins.

In OpenId Connect Authentication Plugin 2.6 and earlier the password to that account is stored in a recoverable format.

This allows attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.

**Open redirect vulnerability in OpenId Connect Authentication Plugin**

**SECURITY-2979 / CVE-2023-50771**  
**Severity (CVSS):** Medium  
**Affected plugin: oic-auth**  
**Description:**

OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

This allows attackers to perform phishing attacks by having users go to a Jenkins URL that will forward them to a different site after successful authentication.

**Tokens stored and displayed in plain text by Dingding JSON Pusher Plugin**

**SECURITY-3184 / CVE-2023-50772 (storage), CVE-2023-50773 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: dingding-json-pusher**  
**Description:**

Dingding JSON Pusher Plugin 2.0 and earlier stores access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability in HTMLResource Plugin allows deleting arbitrary files**

**SECURITY-3183 / CVE-2023-50774**  
**Severity (CVSS):** High  
**Affected plugin: htmlresource**  
**Description:**

HTMLResource Plugin 1.02 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete arbitrary files on the Jenkins controller file system.

**CSRF vulnerability in Deployment Dashboard Plugin**

**SECURITY-3092 / CVE-2023-50775**  
**Severity (CVSS):** Medium  
**Affected plugin: ec2-deployment-dashboard**  
**Description:**

Deployment Dashboard Plugin 1.0.10 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy jobs.

**Tokens stored and displayed in plain text by PaaSLane Estimate Plugin**

**SECURITY-3182 / CVE-2023-50776 (storage), CVE-2023-50777 (masking)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier stores PaaSLane authentication tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

**CSRF vulnerability and missing permission checks in PaaSLane Estimate Plugin**

**SECURITY-3179 / CVE-2023-50778 (CSRF), CVE-2023-50779 (missing permission check)**  
**Severity (CVSS):** Medium  
**Affected plugin: paaslane-estimate**  
**Description:**

PaaSLane Estimate Plugin 1.0.4 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

**Severity**

*   SECURITY-2979: Medium
*   SECURITY-3092: Medium
*   SECURITY-3168: Medium
*   SECURITY-3179: Medium
*   SECURITY-3182: Medium
*   SECURITY-3183: High
*   SECURITY-3184: Medium
*   SECURITY-3203: Medium
*   SECURITY-3204: High
*   SECURITY-3205: High
*   SECURITY-3206: Medium
*   SECURITY-3327: Medium

**Affected Versions**

*   **Analysis Model API Plugin** up to and including 11.11.0
*   **Deployment Dashboard Plugin** up to and including 1.0.10
*   **Dingding JSON Pusher Plugin** up to and including 2.0
*   **HTMLResource Plugin** up to and including 1.02
*   **Nexus Platform Plugin** up to and including 3.18.0-03
*   **OpenId Connect Authentication Plugin** up to and including 2.6
*   **PaaSLane Estimate Plugin** up to and including 1.0.4
*   **Scriptler Plugin** up to and including 342.v6a\_89fd40f466

**Fix**

*   **Analysis Model API Plugin** should be updated to version 11.13.0
*   **Nexus Platform Plugin** should be updated to version 3.18.1-01
*   **Scriptler Plugin** should be updated to version 344.v5a\_ddb\_5f9e685

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   Deployment Dashboard Plugin
*   Dingding JSON Pusher Plugin
*   HTMLResource Plugin
*   OpenId Connect Authentication Plugin
*   PaaSLane Estimate Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Andrea Chiera, CloudBees, Inc.** for SECURITY-3179, SECURITY-3182, SECURITY-3183, SECURITY-3184, SECURITY-3203, SECURITY-3204, SECURITY-3205, SECURITY-3206
*   **Kevin Guerroudj, CloudBees, Inc.** for SECURITY-2979, SECURITY-3092
*   **Steve Marlowe <smarlowe@cisco.com> of Cisco ASIG** for SECURITY-3168

CVE-2023-50771: Jenkins Security Advisory 2023-12-13

Missing permission checks in Jenkins PaaSLane Estimate Plugin 1.0.4 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified token.

CVE-2023-50779: Jenkins Security Advisory 2023-12-13

A missing permission check in Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier allows attackers with Overall/Read permission to read the contents of a Groovy script by knowing its ID.

CVE-2023-50765: Jenkins Security Advisory 2023-12-13

A cross-site request forgery (CSRF) vulnerability in Jenkins HTMLResource Plugin 1.02 and earlier allows attackers to delete arbitrary files on the Jenkins controller file system.

Tag

#web