CVE-2023-41945 — Disabled permissions granted by Jenkins Assembla Auth Plugin

Description

Jenkins Assembla Auth Plugin 1.14 and earlier does not verify that the permissions it grants are enabled, resulting in users with EDIT permissions to be granted Overall/Manage and Overall/SystemRead permissions, even if those permissions are disabled and should not be granted.

How to fix CVE-2023-41945

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-41945 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-41945
WEBwww.jenkins.io/security/advisory/2023-09-06/#SECURITY-3065
WEBwww.openwall.com/lists/oss-security/2023/09/06/9