CVE-2023-37955

Name of the Vulnerable Software and Affected Versions Jenkins Test Results Aggregator Plugin versions 1.2.13 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials. This issue arises because the plugin does not perform a permission check in an HTTP endpoint implementing form validation, allowing attackers with Overall/Read permission to exploit this vulnerability. The HTTP endpoint is also vulnerable because it does not require POST requests.

Recommendations For Jenkins Test Results Aggregator Plugin versions 1.2.13 and earlier, consider disabling the HTTP endpoint implementing form validation until a patch is available to prevent exploitation. Restrict access to the plugin's form validation functionality to minimize the risk of CSRF attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.