CVE-2023-30525

Name of the Vulnerable Software and Affected Versions Jenkins Report Portal Plugin versions 0.5 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified bearer token authentication. This issue arises because the plugin does not perform a permission check in a method implementing form validation, enabling attackers with Overall/Read permission to exploit this vulnerability. The form validation method also does not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins Report Portal Plugin versions 0.5 and earlier, consider disabling the form validation method until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of attackers connecting to attacker-specified URLs using bearer token authentication. At the moment, there is no information about a newer version that contains a fix for this vulnerability.