GHSA-q6cq-8r4j-6rj5

Source

https://github.com/advisories/GHSA-q6cq-8r4j-6rj5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-q6cq-8r4j-6rj5/GHSA-q6cq-8r4j-6rj5.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-q6cq-8r4j-6rj5

Aliases

CVE-2023-37960

Published

2023-07-12T18:30:39Z

Modified

2023-11-08T05:25:34.110532Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Jenkins MathWorks Polyspace Plugin vulnerable to arbitrary file read

Details

Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict the path of the attached files in Polyspace Notification post-build step.

This allows attackers with Item/Configure permission to send emails with arbitrary files from the Jenkins controller file system.

Database specific

{
    "github_reviewed_at": "2023-07-12T22:30:48Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "nvd_published_at": "2023-07-12T16:15:13Z"
}

References

Affected packages

Maven / com.mathworks.polyspace.jenkins:mathworks-polyspace

Package

Name: com.mathworks.polyspace.jenkins:mathworks-polyspace; View open source insights on deps.dev
Purl: pkg:maven/com.mathworks.polyspace.jenkins/mathworks-polyspace

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.0.5

Affected versions

0.*

0.1.0