Anhnm99

**Name of the Vulnerable Software and Affected Versions** Jenkins Gogs Plugin versions 1.0.15 and earlier **Description** The webhook endpoint in Jenkins Gogs Plugin provides unauthenticated attackers with information about the existence of jobs in its output. This endpoint, located at "/gogs-webhook", can be used to trigger builds of jobs and includes an option to specify a Gogs secret, although this option is not enabled by default. The output of the webhook endpoint reveals whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it. **Recommendations** As a temporary workaround, consider disabling the webhook endpoint at "/gogs-webhook" until a patch is available. Restrict access to the Jenkins Gogs Plugin to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins Gogs Plugin versions 1.0.15 and earlier **Description** The Jenkins Gogs Plugin improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs. The plugin provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In versions 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default. This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified job name. Additionally, the output of the webhook endpoint includes whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it. **Recommendations** As a temporary workaround, consider disabling the webhook endpoint at /gogs-webhook until a patch is available. Restrict access to the Jenkins Gogs Plugin to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.