CVE-2023-46651
Description
Jenkins Warnings Plugin 10.5.0 and earlier fails to set the proper context for credentials lookup, allowing attackers with Item/Configure permission to capture system-scoped credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Warnings Plugin 10.5.0 and earlier fails to set the proper context for credentials lookup, allowing attackers with Item/Configure permission to capture system-scoped credentials.
Vulnerability
Description
Jenkins Warnings Plugin (warnings-ng) versions 10.5.0 and earlier do not set the appropriate context for credentials lookup. This oversight causes the plugin to use system-scoped credentials that are otherwise reserved for global configuration, rather than restricting credential access to only those intended for the specific job or item [1][2].
Exploitation
An attacker with Item/Configure permission can exploit this vulnerability by configuring a job to leverage the Warnings Plugin's credential lookup mechanism. Because the plugin does not enforce the correct credential context, the attacker can access and capture system-scoped credentials that they would not normally be entitled to see [1][3].
Impact
Successful exploitation allows an attacker with only Item/Configure permission to obtain sensitive credentials stored in Jenkins. These credentials could then be used to escalate privileges or access other systems integrated with Jenkins [1].
Mitigation
The vulnerability is fixed in Warnings Plugin version 10.5.1, with a backported fix also available in version 10.4.1 [1][3]. Users should upgrade immediately to one of these patched versions to prevent credential exposure.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:warnings-ngMaven | >= 10.5.0, < 10.5.1 | 10.5.1 |
io.jenkins.plugins:warnings-ngMaven | < 10.4.1 | 10.4.1 |
Affected products
2- Range: 10.5.1
Patches
217d18d2fae58SECURITY-3265
1 file changed · +4 −3
plugin/src/main/java/io/jenkins/plugins/analysis/warnings/axivion/AxivionSuite.java+4 −3 modified@@ -188,7 +188,8 @@ protected Object readResolve() { public Report scan(final Run<?, ?> run, final FilePath workspace, final Charset sourceCodeEncoding, final LogHandler logger) throws ParsingException, ParsingCanceledException { - final AxivionDashboard dashboard = new RemoteAxivionDashboard(projectUrl, withValidCredentials(), namedFilter); + final UsernamePasswordCredentials httpClientCredentials = withValidCredentials(run.getParent()); + final AxivionDashboard dashboard = new RemoteAxivionDashboard(projectUrl, httpClientCredentials, namedFilter); final AxivionParser.Config config = new Config(projectUrl, expandBaseDir(run, basedir), ignoreSuppressedOrJustified); final AxivionParser parser = new AxivionParser(config); @@ -207,11 +208,11 @@ public Report scan(final Run<?, ?> run, final FilePath workspace, final Charset return report; } - private UsernamePasswordCredentials withValidCredentials() { + private UsernamePasswordCredentials withValidCredentials(final Item context) { final List<StandardUsernamePasswordCredentials> all = CredentialsProvider.lookupCredentials( StandardUsernamePasswordCredentials.class, - (Item) null, + context, null, Collections.emptyList());
372cd40ce73bSECURITY-3265
1 file changed · +4 −3
plugin/src/main/java/io/jenkins/plugins/analysis/warnings/axivion/AxivionSuite.java+4 −3 modified@@ -188,7 +188,8 @@ protected Object readResolve() { public Report scan(final Run<?, ?> run, final FilePath workspace, final Charset sourceCodeEncoding, final LogHandler logger) throws ParsingException, ParsingCanceledException { - final AxivionDashboard dashboard = new RemoteAxivionDashboard(projectUrl, withValidCredentials(), namedFilter); + final UsernamePasswordCredentials httpClientCredentials = withValidCredentials(run.getParent()); + final AxivionDashboard dashboard = new RemoteAxivionDashboard(projectUrl, httpClientCredentials, namedFilter); final AxivionParser.Config config = new Config(projectUrl, expandBaseDir(run, basedir), ignoreSuppressedOrJustified); final AxivionParser parser = new AxivionParser(config); @@ -207,11 +208,11 @@ public Report scan(final Run<?, ?> run, final FilePath workspace, final Charset return report; } - private UsernamePasswordCredentials withValidCredentials() { + private UsernamePasswordCredentials withValidCredentials(final Item context) { final List<StandardUsernamePasswordCredentials> all = CredentialsProvider.lookupCredentials( StandardUsernamePasswordCredentials.class, - (Item) null, + context, null, Collections.emptyList());
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-66hv-fhcm-7xm7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46651ghsaADVISORY
- www.jenkins.io/security/advisory/2023-10-25/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/10/25/2ghsaWEB
- github.com/jenkinsci/warnings-ng-plugin/commit/17d18d2fae58f5658a40d03a03f927819eb6cf1aghsaWEB
- github.com/jenkinsci/warnings-ng-plugin/commit/372cd40ce73b25d8ae632b262f6ae1cd36ad9e4cghsaWEB
News mentions
1- Jenkins Security Advisory 2023-10-25Jenkins Security Advisories · Oct 25, 2023