CVE-2023-41947
Description
The Jenkins Frugal Testing Plugin 1.1 and earlier does not verify permissions, allowing attackers with Overall/Read access to use attacker-specified credentials to connect to Frugal Testing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Jenkins Frugal Testing Plugin 1.1 and earlier does not verify permissions, allowing attackers with Overall/Read access to use attacker-specified credentials to connect to Frugal Testing.
Vulnerability
Overview The Jenkins Frugal Testing Plugin (version 1.1 and earlier) contains a missing permission check. This flaw allows attackers who have Overall/Read permission to configure and connect to the Frugal Testing service using attacker-specified credentials, bypassing the intended access controls [1][2].
Exploitation
Conditions An attacker must have at least Overall/Read permission on a Jenkins environment. No other special privileges or prior authentication is required beyond that. The attacker can then supply their own credentials to the plugin, which Jenkins will use without any additional permission verification [3].
Impact
If exploited, an attacker can make Jenkins connect to a Frugal Testing instance under their control, potentially leading to further compromise of the Jenkins environment or data exposure. The plugin's functionality relies on these credentials, so unauthorized usage could result in unintended actions within the CI/CD pipeline [2].
Mitigation
Status As of the advisory publication date (2023-09-06), no fix had been released for the Frugal Testing Plugin. Jenkins recommends users restrict Overall/Read access and consider disabling the plugin if it is not required [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:frugal-testingMaven | <= 1.1 | — |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-p986-hpr3-493pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41947ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-06/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/06/9ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-06Jenkins Security Advisories · Sep 6, 2023