Skip to main content

Jira CVE-2023-49653

MEDIUM
Insufficiently Protected Credentials (CWE-522)
2023-11-29 jenkinsci-cert@googlegroups.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 29, 2023 - 14:15 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on org.jenkins-ci.plugins:jira (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.12.

DescriptionNVD

Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.

AnalysisAI

Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to. Affected products include: Jenkins Jira.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.

More in Jira

View all
CVE-2012-2926 CRITICAL POC
9.1 May 22

Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible bef

CVE-2014-2314 MEDIUM POC
4.3 Mar 09

Directory traversal vulnerability in the Issue Collector plugin in Atlassian JIRA before 6.0.4 allows remote attackers t

CVE-2017-5983 CRITICAL POC
9.8 Apr 10

The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer,

CVE-2019-8442 HIGH POC
7.5 May 22

The CachingResourceDownloadRewriteRule class in Jira before version 7.13.4, and from version 8.0.0 before version 8.0.4,

CVE-2016-6285 MEDIUM POC
6.1 Jan 31

Cross-site scripting (XSS) vulnerability in includes/decorators/global-translations.jsp in Atlassian JIRA before 7.2.2 a

CVE-2021-26078 MEDIUM POC
6.1 Jun 07

The number range searcher component in Jira Server and Jira Data Center before version 8.5.14, from version 8.6.0 before

CVE-2019-3402 MEDIUM POC
6.1 May 22

The ConfigurePortalPages.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows

CVE-2018-5230 MEDIUM POC
6.1 May 14

The issue collector in Atlassian Jira before version 7.6.6, from version 7.7.0 before version 7.7.4, from version 7.8.0

CVE-2019-16541 CRITICAL
9.9 Nov 21

Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions,

CVE-2020-14172 CRITICAL
9.8 Jul 03

This issue exists to document that a security improvement in the way that Jira Server and Data Center use velocity templ

CVE-2025-57681 MEDIUM POC
5.4 Jan 21

The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-j

CVE-2020-14181 MEDIUM POC
5.3 Sep 17

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Infor

Share

CVE-2023-49653 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy