4.3

CVSS Score

Basic Information

CVE ID

CVE-2023-2196

GHSA ID

GHSA-5gjq-5339-x5cv

EPSS Score

CWE

CWE-22

Published

5/16/2023

Updated

1/4/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-2196

CVE-2023-2196:
Jenkins Code Dx Plugin missing permission checks

Jenkins Code Dx Plugin 3.1.0 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on an agent file system.

Code Dx Plugin 4.0.0 requires Item/Configure permission for this form validation method and ensures that only files located within the workspace can be checked.

(GitHub Advisory)

4.3

CVSS Score

Basic Information

CVE ID

CVE-2023-2196

GHSA ID

GHSA-5gjq-5339-x5cv

EPSS Score

CWE

CWE-22

Published

5/16/2023

Updated

1/4/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:codedx	maven	< 4.0.0	4.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) Missing permission checks in form validation methods (doCheck* methods in CodeDxPublisher) that should require Item/Configure permission, and 2) Insufficient path validation in Util.java allowing checks outside the workspace. The commit diff shows these methods were modified to add permission checks (@POST + checkPermission) and path containment validation (startsWith(basePath)). These correspond directly to the advisory's description of the vulnerability being caused by missing permission checks and path traversal possibilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *o** *x Plu*in *.*.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows *tt**k*rs wit* It*m/R*** p*rmission to ****k *or t** *xist*n** o* *n *tt**k*r-sp**i*i** *il* p*t* on *n ***nt *il* sys

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) Missin* p*rmission ****ks in *orm v*li**tion m*t*o*s (*o****k* m*t*o*s in *o***xPu*lis**r) t**t s*oul* r*quir* It*m/*on*i*ur* p*rmission, *n* *) Insu**i*i*nt p*t* v*li**tion in Util.j*v* *llowin* ****

4.3

Basic Information

Concerned about an active attack path?

CVE-2023-2196: Jenkins Code Dx Plugin missing permission checks

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-2196:
Jenkins Code Dx Plugin missing permission checks

Vulnerability Intelligence
Miggo AI