CVE-2023-40344
Description
Missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read to enumerate credential IDs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Delphix Plugin 3.0.2 and earlier allows attackers with Overall/Read to enumerate credential IDs.
A missing permission check in the Jenkins Delphix Plugin before version 3.0.3 allows attackers with Overall/Read permission to enumerate credential IDs stored in Jenkins [1]. The plugin fails to properly verify that the user has the necessary permission to list credentials, exposing sensitive metadata.
Exploitation requires only Overall/Read permission, which is often granted to low-privileged users [1]. The attack can be performed remotely over the network without any additional authentication, as the missing check is in a REST endpoint that does not enforce authorization.
An attacker can enumerate credential IDs, which can then be used in further attacks to potentially harvest the actual credentials, leading to broader compromise [1][2].
Jenkins has released Delphix Plugin version 3.0.3 that fixes this issue by adding the missing permission check [2]. Users are advised to upgrade to this version immediately to mitigate the vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:delphixMaven | < 3.0.3 | 3.0.3 |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3fqw-j7x8-g75jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-40344ghsaADVISORY
- www.jenkins.io/security/advisory/2023-08-16/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/08/16/3ghsaWEB
- support.delphix.com/Support_Policies_and_Technical_Bulletins/Technical_Bulletins/TB111_Delphix_Plugin_for_Jenkins_Vulnerable_to_Credential_Enumeration_and_CaptureghsaWEB
News mentions
1- Jenkins Security Advisory 2023-08-16Jenkins Security Advisories · Aug 16, 2023