PT-2023-31283 · Jenkins · Jenkins Neuvector Vulnerability Scanner Plugin+1

Yaroslav Afenkin

Publicado

2023-11-29

Atualizado

2024-08-01

CVE-2023-49673

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier

Description A cross-site request forgery (CSRF) vulnerability exists due to the lack of permission checks in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. This endpoint also does not require POST requests, further contributing to the vulnerability.

Recommendations For Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier, consider updating to version 2.2 or later, which requires POST requests and Overall/Administer permission for the affected HTTP endpoint, thus mitigating the issue. As a temporary workaround, restrict access to the connection test HTTP endpoint to minimize the risk of exploitation.

Correção

CSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-352

Identificadores relacionados

CVE-2023-49673

GHSA-WPFC-R5QQ-7R7P

Produtos afetados

Jenkins

Jenkins Neuvector Vulnerability Scanner Plugin

PT-2023-31283 · Jenkins · Jenkins Neuvector Vulnerability Scanner Plugin+1

CVE-2023-49673

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6