CVE-2023-41945

Vulnerability

Analysis

The Jenkins Assembla Auth Plugin, versions 1.14 and earlier, contains an authorization logic flaw where it does not verify whether the permissions it grants are actually enabled. This results in users who have EDIT permissions being automatically granted Overall/Manage and Overall/SystemRead permissions, regardless of whether those higher-level permissions have been explicitly disabled by the administrator.

Exploitation

Vector

The attack surface is limited to authenticated users who already possess EDIT permissions within a specific project or configuration scope. No additional authentication bypass or network access is required beyond standard Jenkins usage. The plugin incorrectly assumes that if a permission is granted to a role, it should be effective, ignoring the administrative setting that may have disabled it.

Impact

Successful exploitation allows a user with EDIT permissions to effectively perform administrative actions (Overall/Manage) and read system-level configuration (Overall/SystemRead) that should be restricted. This can lead to unauthorized changes to Jenkins global settings, access to sensitive configuration data, and potential further compromise of the Jenkins instance.

Mitigation

As of the Jenkins Security Advisory 2023-09-06, the Assembla Auth Plugin is listed as an unresolved security issue with no fix available in the advisory [1][2]. The plugin is likely unmaintained. Administrators should consider disabling or removing the plugin until a patched version is released, or restrict access to only trusted users with EDIT permissions.

References

[1] Jenkins Security Advisory 2023-09-06 [2] Openwall OSS-Security mailing list post [3] NVD entry for CVE-2023-41945