VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 24, 2023· Updated Apr 2, 2025

CVE-2023-24431

CVE-2023-24431

Description

A missing permission check in Jenkins Orka by MacStadium Plugin allows attackers with Overall/Read to enumerate credential IDs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A missing permission check in Jenkins Orka by MacStadium Plugin allows attackers with Overall/Read to enumerate credential IDs.

Vulnerability

Description

The Jenkins Orka by MacStadium Plugin versions 1.31 and earlier lack a permission check in an unspecified endpoint. This allows attackers with Overall/Read permission to enumerate credentials IDs stored in Jenkins by exploiting the missing authorization check [1].

Exploitation

An attacker needs only Overall/Read permission, which is typically granted to low-privileged users. No special network position or authentication beyond a valid Jenkins user is required. The vulnerability can be triggered remotely via a crafted request [1].

Impact

Successful exploitation reveals credential IDs, which are unique identifiers used to reference credentials in Jenkins. While the credentials themselves (passwords, tokens) are not exposed, the IDs can be used in subsequent attacks, such as crafting requests to use or delete credentials, or to enumerate further [1].

Mitigation

Jenkins has released a fix in version 1.32 of the Orka by MacStadium Plugin. Users are advised to upgrade to this version or later. No workarounds are known [1].

References
  1. Jenkins Security Advisory 2023-01-24

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.jenkins.plugins:macstadium-orkaMaven
< 1.321.32

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

4

News mentions

1