{
  "threat_severity" : "Moderate",
  "public_date" : "2023-05-16T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins-2-plugin: email-ext: Missing permission check in Email Extension Plugin",
    "id" : "2207831",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2207831"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-266",
  "details" : [ "Jenkins Email Extension Plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.", "A flaw was found in the Jenkins Email Extension Plugin. Affected versions of the Jenkins Email Extension Plugin could allow a remote, authenticated attacker to obtain sensitive information caused by improper permission validation. By sending a specially crafted request, an attacker can check for the existence of files in the email-templates/ directory and use this information to launch further attacks against the affected system." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.10",
    "release_date" : "2023-06-23T00:00:00Z",
    "advisory" : "RHSA-2023:3625",
    "cpe" : "cpe:/a:redhat:openshift:4.10::el8",
    "package" : "jenkins-2-plugins-0:4.10.1685679861-1.el8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-32979\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32979\nhttps://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3088%20(1)" ],
  "name" : "CVE-2023-32979",
  "csaw" : false
}