CVE-2023-37956

Name of the Vulnerable Software and Affected Versions Jenkins Test Results Aggregator Plugin versions 1.2.13 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials, including username and password. This issue also results in a cross-site request forgery (CSRF) vulnerability, as the affected HTTP endpoint does not require POST requests.

Recommendations For Jenkins Test Results Aggregator Plugin versions 1.2.13 and earlier, consider disabling the affected HTTP endpoint until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of attackers connecting to attacker-specified URLs using attacker-specified credentials. At the moment, there is no information about a newer version that contains a fix for this vulnerability.