CVE-2023-28668: 
Java vulnerability analysis and mitigation

Jenkins Role-based Authorization Strategy Plugin version 587.v2872c41fa_e51 and earlier contains a permission handling vulnerability identified as CVE-2023-28668. The vulnerability was discovered and disclosed on March 21, 2023. This security issue affects the Jenkins Role-based Authorization Strategy Plugin, which is responsible for managing user permissions within Jenkins (Jenkins Advisory).

The vulnerability stems from a flaw in permission handling where the plugin continues to grant permissions even after they have been disabled. In Jenkins, certain permissions like Overall/Manage or Item/Extended Read are disabled by default and should only be granted through higher-level permissions that imply them (e.g., Overall/Administer or Item/Configure). The vulnerability has a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to retain permissions that should have been revoked, potentially leading to unauthorized access. This occurs in scenarios where a permission is initially granted to users directly or through groups, and then later disabled through methods such as the script console. The continued access could result in elevated privileges beyond intended authorization levels (Jenkins Advisory).

The vulnerability has been fixed in Role-based Authorization Strategy Plugin version 587.588.v850a20a30162. Users are strongly advised to upgrade to this version to address the security issue. The updated version properly handles disabled permissions and prevents unauthorized access retention (Jenkins Advisory).