GHSA-q6cq-8r4j-6rj5

Suggest an improvement
Source
https://github.com/advisories/GHSA-q6cq-8r4j-6rj5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-q6cq-8r4j-6rj5/GHSA-q6cq-8r4j-6rj5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-q6cq-8r4j-6rj5
Aliases
  • CVE-2023-37960
Published
2023-07-12T18:30:39Z
Modified
2023-11-08T05:25:34.110532Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Jenkins MathWorks Polyspace Plugin vulnerable to arbitrary file read
Details

Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step.

This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system.

Database specific
{
    "nvd_published_at": "2023-07-12T16:15:13Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-12T22:30:48Z"
}
References

Affected packages

Maven / com.mathworks.polyspace.jenkins:mathworks-polyspace

Package

Name
com.mathworks.polyspace.jenkins:mathworks-polyspace
View open source insights on deps.dev
Purl
pkg:maven/com.mathworks.polyspace.jenkins/mathworks-polyspace

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.0.5

Affected versions

0.*

0.1.0