CVE-2023-50769

Name of the Vulnerable Software and Affected Versions Jenkins Nexus Platform Plugin versions 3.18.0-03 and earlier

Description The issue is related to missing permission checks in the Jenkins Nexus Platform Plugin, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method. This can result in capturing credentials stored in Jenkins. Additionally, the form validation methods in the affected versions do not require POST requests, leading to a cross-site request forgery (CSRF) vulnerability.

Recommendations For Jenkins Nexus Platform Plugin versions 3.18.0-03 and earlier, update to version 3.18.1-01 or later, which requires POST requests and Overall/Administer permission for the affected form validation methods. As a temporary workaround, consider restricting access to the form validation methods to minimize the risk of exploitation. Restrict the use of Overall/Read permission to reduce the attack surface until the issue is resolved.