5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28668

GHSA ID

GHSA-436g-2f92-cvhh

EPSS Score

0.29121%

CWE

CWE-281

Published

4/2/2023

Updated

2/25/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28668

CVE-2023-28668: Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them (e.g., Overall/Administer or Item/Configure).

Role-based Authorization Strategy Plugin 587.v2872c41fa_e51 and earlier grants permissions even after they’ve been disabled.

This allows attackers to have greater access than they’re entitled to after the following operations took place:

A permission is granted to attackers directly or through groups.

The permission is disabled, e.g., through the script console.

Role-based Authorization Strategy Plugin 587.588.v850a_20a_30162 does not grant disabled permissions.

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28668

GHSA ID

GHSA-436g-2f92-cvhh

EPSS Score

0.29121%

CWE

CWE-281

Published

4/2/2023

Updated

2/25/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:role-strategy	maven	< 587.588.v850a	587.588.v850a_20a_30162

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how implying permissions were cached and validated. In the pre-patch code, cacheImplyingPermissions() iterated through permissions without checking if they were enabled, populating a static cache. getImplyingPermissions() then served these cached permissions, including disabled ones. The fix introduced a time-bound cache and added explicit enabled checks in cacheImplyingPermissions(), confirming these functions as the root cause. The test case added in the commit also directly targets this logic, reinforcing the analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*rmissions in J*nkins **n ** *n**l** *n* *is**l**. Som* p*rmissions *r* *is**l** *y ****ult, *.*., Ov*r*ll/M*n*** or It*m/*xt*n*** R***. *is**l** p*rmissions **nnot ** *r*nt** *ir**tly, only t*rou** *r**t*r p*rmissions t**t imply t**m (*.*., Ov*r*ll

Reasoning

T** vuln*r**ility st*ms *rom *ow implyin* p*rmissions w*r* ****** *n* v*li**t**. In t** pr*-p*t** *o**, `*****Implyin*P*rmissions()` it*r*t** t*rou** p*rmissions wit*out ****kin* i* t**y w*r* *n**l**, popul*tin* * st*ti* *****. `**tImplyin*P*rmission

5.9

Basic Information

Concerned about an active attack path?

CVE-2023-28668: Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI