CVE-2023-41945: 
Java vulnerability analysis and mitigation

CVE-2023-41945 affects the Jenkins Assembla Auth Plugin versions 1.14 and earlier. The vulnerability was discovered and disclosed on September 6, 2023. The plugin provides an authorization strategy that defines four levels of access to Jenkins (ALL, EDIT, VIEW, and NONE) based on corresponding permissions in Assembla spaces (Jenkins Advisory, OSS Security).

The vulnerability stems from the plugin's failure to verify that the permissions it grants are enabled. This results in users with EDIT permissions being granted Overall/Manage and Overall/SystemRead permissions, even when these permissions are disabled and should not be granted. The vulnerability has been assigned a Medium severity CVSS rating. Additionally, the plugin grants deprecated permissions including Overall/RunScripts, Overall/UploadPlugins, and Overall/ConfigureUpdateCenter to users with EDIT access (Jenkins Advisory).

The vulnerability can lead to privilege escalation where users can access functionality they should not be entitled to. The deprecated permissions granted by the plugin are particularly concerning as they allow arbitrary code execution through various means in Jenkins versions before 2.222. Furthermore, plugins not yet adapted to the changes in Jenkins 2.222 may provide access to sensitive features to users with these permissions (Jenkins Advisory).

As of the advisory publication date, there is no fix available for this vulnerability. No specific workarounds have been provided by the vendor (Jenkins Advisory).