CVE-2023-41943
Description
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier lacks permission check in an HTTP endpoint, allowing attackers with Overall/Read to clear the SQS queue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier lacks permission check in an HTTP endpoint, allowing attackers with Overall/Read to clear the SQS queue.
Vulnerability
Overview Jenkins AWS CodeCommit Trigger Plugin versions 3.0.12 and earlier contain a missing permission check in an HTTP endpoint. The endpoint does not verify that the user has the required authorization before allowing the action to clear the Amazon SQS queue used for CodeCommit triggers [1][3]. This is a classic authorization bypass vulnerability.
Exploitation
An attacker with only Overall/Read permission (the lowest Jenkins permission) can exploit this flaw by sending a crafted HTTP request to the vulnerable endpoint [2]. No additional privileges or special network access is required beyond being able to reach the Jenkins instance. The attacker does not need to be authenticated as an administrator.
Impact
Successful exploitation allows the attacker to clear the SQS queue, which disrupts the processing of AWS CodeCommit triggers. This can lead to a denial of service condition where legitimate trigger events are lost, potentially causing missed builds or deployments [1]. The impact is limited to the SQS queue; no data exfiltration or code execution is reported.
Mitigation
As of the September 2023 security advisory, no fix has been released for this plugin [2]. Administrators are advised to restrict access to Jenkins instances, ensure only trusted users have Overall/Read permission, or disable the plugin if it is not essential. The vulnerability is not known to be exploited in the wild.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:aws-codecommit-triggerMaven | <= 3.0.12 | — |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-r428-g373-m2h4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41943ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-06/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/06/9ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-06Jenkins Security Advisories · Sep 6, 2023