CVE-2023-50770

Jenkins OpenId Connect Authentication Plugin 2.6 and earlier stores a password of a local user account used as an anti-lockout feature in a recoverable format, allowing attackers with access to the Jenkins controller file system to recover the plain text password of that account, likely gaining administrator access to Jenkins.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
jenkinsCNA
6.7 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
jenkinsopenid
𝑥
≤ 2.6
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
jenkinsopenid_connect_authentication
𝑥
≤ 2.6
CNA
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/12/13/4
https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3168
http://www.openwall.com/lists/oss-security/2023/12/13/4
https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3168