Miggo Logo

CVE-2023-28668: Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.29121%
Published
4/2/2023
Updated
2/25/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:role-strategymaven< 587.588.v850a587.588.v850a_20a_30162

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how implying permissions were cached and validated. In the pre-patch code, cacheImplyingPermissions() iterated through permissions without checking if they were enabled, populating a static cache. getImplyingPermissions() then served these cached permissions, including disabled ones. The fix introduced a time-bound cache and added explicit enabled checks in cacheImplyingPermissions(), confirming these functions as the root cause. The test case added in the commit also directly targets this logic, reinforcing the analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*rmissions in J*nkins **n ** *n**l** *n* *is**l**. Som* p*rmissions *r* *is**l** *y ****ult, *.*., Ov*r*ll/M*n*** or It*m/*xt*n*** R***. *is**l** p*rmissions **nnot ** *r*nt** *ir**tly, only t*rou** *r**t*r p*rmissions t**t imply t**m (*.*., Ov*r*ll

Reasoning

T** vuln*r**ility st*ms *rom *ow implyin* p*rmissions w*r* ****** *n* v*li**t**. In t** pr*-p*t** *o**, `*****Implyin*P*rmissions()` it*r*t** t*rou** p*rmissions wit*out ****kin* i* t**y w*r* *n**l**, popul*tin* * st*ti* *****. `**tImplyin*P*rmission