CVE-2023-41941
Description
A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing permission check in Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of AWS credentials stored in Jenkins.
Vulnerability
Overview
CVE-2023-41941 is a missing permission check vulnerability in the Jenkins AWS CodeCommit Trigger Plugin version 3.0.12 and earlier [1]. The plugin fails to verify proper permissions when exposing credential ID values, which should be restricted to users with higher privileges [2].
Exploitation
An attacker can exploit this vulnerability by leveraging the Overall/Read permission, which is typically granted to all authenticated users or even anonymous users in some Jenkins configurations [1][2]. No additional authentication or network access is required beyond access to the Jenkins instance. The attacker can enumerate AWS credential IDs by sending crafted requests to the affected plugin endpoint [1].
Impact
Successful exploitation allows an attacker to obtain AWS credential IDs stored in Jenkins, which are sensitive identifiers that can be used in further attacks targeting AWS environments [1][2]. This information disclosure can facilitate the compromise of associated AWS secrets or access keys if an attacker gains other privileges [2].
Mitigation
As of the advisory date (2023-09-06), the AWS CodeCommit Trigger Plugin has not been updated to fix this issue [2]. Users should consider disabling the plugin if not in use, or restrict the Overall/Read permission to trusted users only [1][2]. The plugin is listed as having an unresolved security issue in the Jenkins security advisory [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:aws-codecommit-triggerMaven | <= 3.0.12 | — |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-pfg6-cj3j-rpv4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41941ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-06/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/06/9ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-06Jenkins Security Advisories · Sep 6, 2023