CVE-2023-49654: 
Java vulnerability analysis and mitigation

CVE-2023-49654 is a security vulnerability affecting the Jenkins MATLAB Plugin versions 2.11.0 and earlier. The vulnerability was discovered and reported by Andrea Chiera from CloudBees, Inc. and was publicly disclosed on November 29, 2023. The issue stems from missing permission checks in several HTTP endpoints that implement form validation for MATLAB installation directory verification (Jenkins Advisory, OSS Security).

The vulnerability is rated as High severity with a CVSS v3.1 base score of 9.8 (CRITICAL). The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The core issue lies in the plugin's functionality that determines whether a user-specified directory on the Jenkins controller is a valid MATLAB installation location by parsing an XML file in that directory. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD).

This vulnerability allows attackers to have Jenkins parse an XML file from the Jenkins controller file system. When combined with related vulnerabilities (CVE-2023-49655 for CSRF and CVE-2023-49656 for XXE), attackers able to create files on the Jenkins controller file system can have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or perform server-side request forgery (Jenkins Advisory).

The vulnerability has been fixed in MATLAB Plugin version 2.11.1. The updated version implements proper permission checks by requiring POST requests and Item/Configure permission for the affected HTTP endpoints. Users are strongly advised to upgrade to this version to mitigate the vulnerability (Jenkins Advisory).