CVE-2023-40347 — Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin vulnerable to exposure

Description

Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing the use of System-scoped credentials otherwise reserved for the global configuration. This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to. As of publication of this advisory, there is no fix.

How to fix CVE-2023-40347

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-40347 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-40347
WEBwww.jenkins.io/security/advisory/2023-08-16/#SECURITY-3153
WEBwww.openwall.com/lists/oss-security/2023/08/16/3