PT-2023-24130 · Jenkins · Jenkins Appspider Plugin+1

Publicado

2023-05-16

Atualizado

2023-05-31

CVE-2023-32999

CVSS v3.1

4.3

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins AppSpider Plugin versions 1.0.15 and earlier

Description A missing permission check in the Jenkins AppSpider Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. This also results in a cross-site request forgery (CSRF) vulnerability due to the form validation method not requiring POST requests.

Recommendations For Jenkins AppSpider Plugin versions 1.0.15 and earlier, update to version 1.0.16 or later, which requires POST requests and Overall/Administer permission for the affected form validation method. As a temporary workaround, consider restricting access to the plugin's form validation method to minimize the risk of exploitation.

Correção

Incorrect Default Permissions

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-276

Identificadores relacionados

CVE-2023-32999

GHSA-2C5C-FHR8-PWH9

Produtos afetados

Jenkins

Jenkins Appspider Plugin

PT-2023-24130 · Jenkins · Jenkins Appspider Plugin+1

CVE-2023-32999

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 8