CVE-2023-50770
Description
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins OpenId Connect Authentication Plugin stores an anti-lockout password in recoverable format, allowing attackers with file system access to recover it and gain admin access.
Vulnerability
Overview
The Jenkins OpenId Connect Authentication Plugin versions 2.6 and earlier stores the password of a local user account used as an anti-lockout feature in a recoverable format. This means the password is not properly encrypted or hashed, making it susceptible to recovery by an attacker with access to the Jenkins controller file system [1][4].
Exploitation
An attacker must have access to the Jenkins controller's file system to exploit this vulnerability. This could be achieved through a separate compromise or by a malicious insider. Once access is obtained, the attacker can recover the plain text password of the local user account [1][4].
Impact
Recovering this password likely allows the attacker to gain administrator access to Jenkins, as the anti-lockout account typically has high privileges. This could lead to full control over the Jenkins environment and potentially compromise connected systems [1][4].
Mitigation
As of the advisory date (2023-12-13), this vulnerability remains unresolved in the OpenId Connect Authentication Plugin. No fix or workaround has been provided by the Jenkins security team [1][3]. Users are advised to restrict file system access and monitor for suspicious activity.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:oic-authMaven | < 4.229.vf736b | 4.229.vf736b |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-6r5w-jjr5-qvgrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-50770ghsaADVISORY
- www.jenkins.io/security/advisory/2023-12-13/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/12/13/4ghsaWEB
- github.com/jenkins-infra/update-center2/pull/773ghsaWEB
- github.com/jenkinsci/oic-auth-plugin/issues/259ghsaWEB
- github.com/jenkinsci/oic-auth-plugin/pull/287ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-12-13Jenkins Security Advisories · Dec 13, 2023