CVE-2023-35149: 
Java vulnerability analysis and mitigation

A missing permission check vulnerability was identified in Jenkins Digital.ai App Management Publisher Plugin version 2.6 and earlier, tracked as CVE-2023-35149. The vulnerability was discovered and disclosed on June 14, 2023. The issue affects the Digital.ai App Management Publisher Plugin (ease-plugin) up to and including version 2.6 (Jenkins Advisory, NVD).

The vulnerability stems from missing permission checks in several HTTP endpoints of the plugin. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-862: Missing Authorization (NVD).

When exploited, this vulnerability allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, potentially leading to the capture of credentials stored in Jenkins (Jenkins Advisory).

As of the advisory publication date, there is no fix available for this vulnerability in the Digital.ai App Management Publisher Plugin. Users should monitor for updates and implement additional access controls where possible (Jenkins Advisory).

The vulnerability was discovered and reported by Kevin Guerroudj and Wadeck Follonier from CloudBees, Inc. The Jenkins security team has classified this as a medium severity issue (Jenkins Advisory).