CVE-2023-35149
Description
A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read to connect to an attacker-specified URL and capture stored credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read to connect to an attacker-specified URL and capture stored credentials.
Vulnerability
A missing permission check in Jenkins Digital.ai App Management Publisher Plugin 2.6 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins [1][2]. The plugin fails to properly verify that a user has the necessary permissions before initiating an outbound connection, enabling unauthorized credential exfiltration.
Exploitation
An attacker needs only the default Overall/Read permission, which is typically granted to most authenticated users. By providing a malicious URL, the attacker can trigger the plugin to send a request containing captured Jenkins credentials to an external server under their control [3].
Impact
Successful exploitation results in the compromise of stored credentials, which could include passwords, API tokens, or other sensitive material. This could lead to further unauthorized access to Jenkins resources and connected systems.
Mitigation
At the time of publication (2023-06-14), the plugin maintainer had not yet released a fix. As a workaround, administrators are advised to restrict Overall/Read permissions to trusted users only or consider disabling the plugin if not necessary [1][3]. The vulnerability is listed as unresolved per the Jenkins security advisory.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:ease-pluginMaven | <= 2.6 | — |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-5ghv-wxh9-7356ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-35149ghsaADVISORY
- www.jenkins.io/security/advisory/2023-06-14/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/06/14/5ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-06-14Jenkins Security Advisories · Jun 14, 2023