CVE-2023-30519

Name of the Vulnerable Software and Affected Versions Jenkins Quay.io trigger Plugin versions 0.1 and earlier

Description A missing permission check in the Jenkins Quay.io trigger Plugin allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository. The plugin provides a webhook endpoint at "/quayio-webhook/" that can be used to trigger builds of jobs configured to use a specified repository. In versions 0.1 and earlier, this endpoint can be accessed without authentication.

Recommendations For Jenkins Quay.io trigger Plugin versions 0.1 and earlier, consider disabling the "/quayio-webhook/" endpoint until a patch is available to prevent unauthenticated access. Restrict access to the plugin's functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.