PT-2023-22750 · Jenkins · Jenkins Fogbugz Plugin+1
Kevin Guerroudj
+1
·
Published
2023-04-12
·
Updated
2023-04-20
·
CVE-2023-30522
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Fogbugz Plugin versions 2.2.17 and earlier
Description
A missing permission check in the Jenkins Fogbugz Plugin allows attackers with Item/Read permission to trigger builds of jobs specified in a
jobname request parameter. The plugin provides a webhook endpoint at "/fbTrigger/" that can be used to trigger builds of any jobs. This endpoint can be accessed by attackers, enabling them to trigger builds of specified jobs.Recommendations
For Jenkins Fogbugz Plugin versions 2.2.17 and earlier, consider disabling access to the "/fbTrigger/" endpoint until a patch is available. Restrict access to the
jobname request parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Fogbugz Plugin