CVE-2023-37960: 
Java vulnerability analysis and mitigation

MathWorks Polyspace Plugin for Jenkins version 1.0.5 and earlier contains a security vulnerability identified as CVE-2023-37960. The vulnerability was discovered by Tony Torralba from GitHub Security Lab and was publicly disclosed on July 12, 2023. This vulnerability affects the Polyspace Notification post-build step functionality in the Jenkins plugin (Jenkins Advisory, GitHub Lab).

The vulnerability stems from improper path restriction of attached files in the Polyspace Notification post-build step. The CVSS v3.1 base score for this vulnerability is 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The technical issue involves the plugin's failure to properly validate and restrict file paths, which can be exploited through the post-build notification mechanism (NVD).

The vulnerability allows attackers with Item/Configure permission to access and exfiltrate arbitrary files from the Jenkins controller file system by sending them through email notifications. This could potentially lead to unauthorized access to sensitive information stored on the Jenkins controller (Jenkins Advisory).

As of the advisory publication date, no fix is available for this vulnerability in the MathWorks Polyspace Plugin. Users are advised to carefully review and restrict access to Item/Configure permissions and monitor file access patterns (Jenkins Advisory).