VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 13, 2023· Updated Feb 13, 2025

CVE-2023-50765

CVE-2023-50765

Description

Jenkins Scriptler Plugin before 344.v5a_ddb_5f9e685 lacks a permission check, allowing Overall/Read users to read Groovy script contents by knowing its ID.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Scriptler Plugin before 344.v5a_ddb_5f9e685 lacks a permission check, allowing Overall/Read users to read Groovy script contents by knowing its ID.

Vulnerability

Description

CVE-2023-50765 is a missing permission check in the Jenkins Scriptler Plugin, affecting versions 342.v6a_89fd40f466 and earlier. The plugin provides an HTTP endpoint to view Groovy script contents, but it does not verify that the user has the required permissions (such as Configure or Run Scripts). This flaw allows any user with the Overall/Read permission to retrieve the full source code of any stored Groovy script if they know its identifier (ID). [1]

Exploitation

An attacker needs only the Overall/Read permission, which is typically granted to many users in a Jenkins environment. By crafting a request to the vulnerable endpoint with a known script ID, the attacker can read the script contents without authorization. The endpoint does not perform any access control checks, making it straightforward to exploit. [4]

Impact

The vulnerability leads to unauthorized disclosure of sensitive Groovy scripts. These scripts may contain credentials, API keys, or other secrets used in Jenkins jobs and pipelines. An attacker could use this information to escalate privileges or gain further access within the Jenkins instance. The severity is rated as Medium (CVSS 5.4) because it requires a valid user account with Overall/Read permission.

Mitigation

Scriptler Plugin version 344.v5a_ddb_5f9e685 fixes the issue by adding proper permission checks. Users should upgrade to this version or later. As of the advisory date, no workarounds are mentioned. [1]

References
  1. Jenkins Security Advisory 2023-12-13
  2. [SECURITY-3206] · jenkinsci/scriptler-plugin@5addb5f

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:scriptlerMaven
<= 342.v6a

Affected products

2

Patches

1
5addb5f9e685

[SECURITY-3206]

https://github.com/jenkinsci/scriptler-pluginMichael TughanOct 3, 2023via ghsa
commit
4 files changed · +44 4
  • src/main/java/org/jenkinsci/plugins/scriptler/ScriptlerManagement.java+8 2 modified
    @@ -30,6 +30,7 @@
 import hudson.markup.MarkupFormatter;
 import hudson.markup.RawHtmlMarkupFormatter;
 import hudson.model.*;
+import hudson.security.AccessControlled;
 import hudson.security.Permission;
 import jenkins.model.Jenkins;
 import org.apache.commons.fileupload.FileItem;
@@ -637,8 +638,13 @@ private String[] resolveSlaveNames(String nameAlias) {
      * @throws IOException
      * @throws ServletException
      */
-    public void doShowScript(StaplerRequest req, StaplerResponse rsp, @QueryParameter("id") String id) throws IOException, ServletException {
-        // action directly accessible to any people configuring job, so no permission check
+    public void doShowScript(StaplerRequest req, StaplerResponse rsp, @AncestorInPath Item item, @QueryParameter("id") String id) throws IOException, ServletException {
+        // action directly accessible to any people configuring job, so use a more lenient permission check
+        Jenkins jenkins = Jenkins.get();
+        if (!jenkins.hasAnyPermission(ScriptlerPermissions.RUN_SCRIPTS, ScriptlerPermissions.CONFIGURE)) {
+            AccessControlled parent = item == null ? jenkins : item;
+            parent.checkPermission(Item.CONFIGURE);
+        }
         Script script = ScriptHelper.getScript(id, true);
         req.setAttribute("script", script);
         req.getView(this, "show.jelly").forward(req, rsp);
  • src/main/java/org/jenkinsci/plugins/scriptler/TransientActionProvider.java+33 0 added
    @@ -0,0 +1,33 @@
+package org.jenkinsci.plugins.scriptler;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+import hudson.Extension;
+import hudson.model.Action;
+import hudson.model.Job;
+import java.util.Collection;
+import java.util.Collections;
+import jenkins.model.TransientActionFactory;
+
+@Extension
+public class TransientActionProvider extends TransientActionFactory<Job> {
+    @Override
+    public Class<Job> type() {
+        return Job.class;
+    }
+
+    @NonNull
+    @Override
+    public Collection<? extends Action> createFor(@NonNull Job target) {
+        return Collections.singleton(new ScriptlerManagement() {
+            @Override
+            public String getIconFileName() {
+                return null;
+            }
+
+            @Override
+            public String getDisplayName() {
+                return null;
+            }
+        });
+    }
+}
  • src/main/resources/org/jenkinsci/plugins/scriptler/builder/ScriptlerBuilder/config.jelly+1 1 modified
    @@ -20,7 +20,7 @@
 			<f:entry title="${%Script}" field="buildStepContent">

 			    <input type="hidden" name="backupJobName" />

 			    <input type="hidden" name="builderId" value="${instance.builderId}" />

-				<select name="scriptlerScriptId" onChange="scriptler_initDetailLink('${rootURL}', this);scriptler_showParams(this, this.value);" >

+				<select name="scriptlerScriptId" data-item-url="${it.url}" onChange="scriptler_initDetailLink('${rootURL}', this);scriptler_showParams(this, this.value);" >

 					<option value="">(Default)</option>

 					<j:forEach var="inst" items="${descriptor.scripts}" varStatus="loop">

 						<j:choose>
  • src/main/webapp/lib/scriptler.js+2 1 modified
    @@ -1,13 +1,14 @@
 
 function scriptler_initDetailLink(rootURL, referenceTag){
+   var itemURL = referenceTag.getAttribute('data-item-url');
    var selId = referenceTag.value;
    var all = new Array();
    all = document.getElementsByName('scriptlerScriptId');
    for(var i = 0; i < all.length; i++) {
 	   if(referenceTag == all.item(i)){
 		   var detailsLinkTag = document.getElementsByName('showScriptlerDetailLink').item(i);
 		   if(selId.length != 0){
-			   detailsLinkTag .href=rootURL+"/scriptler/showScript?id=".concat(selId);
+			   detailsLinkTag .href=rootURL+"/" + itemURL + "scriptler/showScript?id=".concat(selId);
 			   detailsLinkTag .style.display = 'block';
 			}else{
 			   detailsLinkTag .style.display = 'none';

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1