Miggo Logo
Miggo Vulnerability Database
CVE-2023-32979

CVE-2023-32979: Jenkins Email Extension Plugin missing permission check

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-32979
GHSA ID
GHSA-6gp4-2f92-j2w5
EPSS Score
0.28197%
CWE
CWE-732
Published
5/16/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:email-extmaven< 2.96.12.96.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on missing permission checks in a form validation method. Jenkins plugin security patterns indicate:- 1) Form validation methods follow doCheck[ParameterName] pattern in DescriptorImpl classes 2) Email template handling would logically have a method validating template paths 3) The CVE description explicitly mentions form validation method hardening. While no patch diffs are available, the combination of Jenkins plugin architecture patterns and advisory specifics strongly indicates EmailExtTemplate's DescriptorImpl.doCheckTemplate as the vulnerable method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *m*il *xt*nsion Plu*in *.** *n* **rli*r *o*s not p*r*orm * p*rmission ****k in * m*t*o* impl*m*ntin* *orm v*li**tion. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to ****k *or t** *xist*n** o* *il*s in t** `*m*il-t*mpl*t*s/` *ir**tory

Reasoning

T** vuln*r**ility **nt*rs on missin* p*rmission ****ks in * *orm `v*li**tion` m*t*o*. `J*nkins` plu*in s**urity p*tt*rns in*i**t*:- *) *orm `v*li**tion` m*t*o*s *ollow `*o****k[P*r*m*t*rN*m*]` p*tt*rn in `**s*riptorImpl` *l*ss*s *) *m*il t*mpl*t* **n