CVE-2023-35148 - Vulnerability Details - OpenCVE

A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Jenkins	Digital.ai App Management Publisher

Configuration 1 [-]

cpe:2.3:a:jenkins:digital.ai_app_management_publisher:*:*:*:*:*:jenkins:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/06/14/5
https://nvd.nist.gov/vuln/detail/CVE-2023-35148
https://www.cve.org/CVERecord?id=CVE-2023-35148
https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2911

History

Tue, 31 Dec 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2023-06-14T12:53:10.250Z

Updated: 2024-12-31T17:19:06.782Z

Reserved: 2023-06-14T08:58:33.245Z

Link: CVE-2023-35148

Vulnrichment

Updated: 2024-08-02T16:23:59.299Z

NVD

Status : Modified

Published: 2023-06-14T13:15:12.220

Modified: 2024-12-31T18:15:24.980

Link: CVE-2023-35148

Redhat

Severity : Moderate

Publid Date: 2023-06-14T00:00:00Z

Links: CVE-2023-35148 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-35148", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2023-06-14T08:58:33.245Z", "datePublished": "2023-06-14T12:53:10.250Z", "dateUpdated": "2024-12-31T17:19:06.782Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "Jenkins Digital.ai App Management Publisher Plugin", "vendor": "Jenkins Project", "versions": [{"lessThanOrEqual": "2.6", "status": "affected", "version": "0", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T12:50:41.952Z"}, "references": [{"name": "Jenkins Security Advisory 2023-06-14", "tags": ["vendor-advisory"], "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2911"}, {"url": "http://www.openwall.com/lists/oss-security/2023/06/14/5"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:23:59.299Z"}, "title": "CVE Program Container", "references": [{"name": "Jenkins Security Advisory 2023-06-14", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2911"}, {"url": "http://www.openwall.com/lists/oss-security/2023/06/14/5", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-31T17:19:02.459666Z", "id": "CVE-2023-35148", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-31T17:19:06.782Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2911", "name": "Jenkins Security Advisory 2023-06-14", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/06/14/5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:23:59.299Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-35148", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-12-31T17:19:02.459666Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-31T17:18:38.340Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins Digital.ai App Management Publisher Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "2.6"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-2911", "name": "Jenkins Security Advisory 2023-06-14", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/06/14/5"}], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T12:50:41.952Z"}}}, "cveMetadata": {"cveId": "CVE-2023-35148", "state": "PUBLISHED", "dateUpdated": "2024-12-31T17:19:06.782Z", "dateReserved": "2023-06-14T08:58:33.245Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2023-06-14T12:53:10.250Z", "assignerShortName": "jenkins"}, "dataVersion": "5.1"}