Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13aGdqLTZtNzgtMmdnOc4AAz2l
Arbitrary file read vulnerability in Jenkins AWS CodeCommit Trigger Plugin
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.
Permalink: https://github.com/advisories/GHSA-whgj-6m78-2gg9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13aGdqLTZtNzgtMmdnOc4AAz2l
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 4 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-whgj-6m78-2gg9, CVE-2023-35147
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-35147
- https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3099
- http://www.openwall.com/lists/oss-security/2023/06/14/5
- https://github.com/advisories/GHSA-whgj-6m78-2gg9
Affected Packages
maven:org.jenkins-ci.plugins:aws-codecommit-trigger
Affected Version Ranges: <= 3.0.12No known fixed version