CVE-2023-37961

Name of the Vulnerable Software and Affected Versions Jenkins Assembla Auth Plugin versions 1.14 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to trick users into logging in to the attacker's account. This issue arises because the plugin does not implement a state parameter in its OAuth flow, which is a unique and non-guessable value associated with each authentication request.

Recommendations For Jenkins Assembla Auth Plugin versions 1.14 and earlier, consider disabling the OAuth flow until a patch is available to prevent attackers from exploiting the CSRF vulnerability. Restrict access to authentication requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.