Incorrect authorization in Support Core

#VU69371 Incorrect authorization in Support Core

Published: 2022-11-16

Vulnerability identifier: #VU69371

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-45383

CWE-ID: CWE-863

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Support Core
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to an incorrect permission check. A remote user can download a previously created support bundle containing information limited to users with Overall/Administer permission.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Support Core: 1206.v14049fa_b_d860

External links
http://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2804

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Incorrect authorization in Jenkins Support Core plugin