PT-2023-24130 · Jenkins · Jenkins Appspider Plugin+1

Published

2023-05-16

Updated

2023-05-31

CVE-2023-32999

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins AppSpider Plugin versions 1.0.15 and earlier

Description A missing permission check in the Jenkins AppSpider Plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. This also results in a cross-site request forgery (CSRF) vulnerability due to the form validation method not requiring POST requests.

Recommendations For Jenkins AppSpider Plugin versions 1.0.15 and earlier, update to version 1.0.16 or later, which requires POST requests and Overall/Administer permission for the affected form validation method. As a temporary workaround, consider restricting access to the plugin's form validation method to minimize the risk of exploitation.

Fix

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

CVE-2023-32999

GHSA-2C5C-FHR8-PWH9

Affected Products

Jenkins

Jenkins Appspider Plugin

PT-2023-24130 · Jenkins · Jenkins Appspider Plugin+1

CVE-2023-32999

Weakness Enumeration

Related Identifiers

Affected Products

References · 8