CVE-2023-49652
Description
Jenkins Google Compute Engine Plugin 4.550 and earlier has incorrect permission checks allowing attackers with global Item/Configure to enumerate system-scoped credentials and probe GCP projects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Google Compute Engine Plugin 4.550 and earlier has incorrect permission checks allowing attackers with global Item/Configure to enumerate system-scoped credentials and probe GCP projects.
Vulnerability
Overview
Jenkins Google Compute Engine Plugin versions 4.550.vb_327fca_3db_11 and earlier suffer from incorrect permission checks in multiple HTTP endpoints [1][2]. The plugin fails to properly verify that a user has the necessary Item/Configure permission on a specific job before allowing access to certain operations. This flaw enables attackers who possess the global Item/Configure permission (but lack it on any particular job) to perform actions that should require more granular authorization.
Exploitation
An attacker with global Item/Configure permission can exploit this vulnerability in two ways [2]. First, they can enumerate system-scoped credentials IDs stored in Jenkins. Second, they can use attacker-specified credentials IDs (obtained through another method) to connect to Google Cloud Platform and retrieve information about existing projects. The attack does not require the attacker to have Item/Configure on any specific job, only the global permission.
Impact
Successful exploitation allows an attacker to discover system-scoped credential IDs, which can be leveraged in further attacks to capture the actual credentials. Additionally, the attacker can probe Google Cloud Platform projects for information, potentially leading to unauthorized access to cloud resources. This represents a medium-severity information disclosure vulnerability.
Mitigation
The issue has been fixed in Google Compute Engine Plugin version 4.551.v5a_4dc98f6962, which requires Overall/Administer permission for the affected endpoints [2]. The fix has also been backported to version 4.3.17.1 [3]. Users are advised to upgrade to one of these versions immediately.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:google-compute-engineMaven | < 4.3.17.1 | 4.3.17.1 |
org.jenkins-ci.plugins:google-compute-engineMaven | >= 4.5, < 4.551.v5a | 4.551.v5a |
Affected products
2- Range: 4.551.v5a_4dc98f6962
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-pgpj-83g3-mfr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-49652ghsaADVISORY
- www.jenkins.io/security/advisory/2023-11-29/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/11/29/1ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-11-29Jenkins Security Advisories · Nov 29, 2023