CVE-2023-37962

Name of the Vulnerable Software and Affected Versions Jenkins Benchmark Evaluator Plugin versions 1.0.1 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL and to check for the existence of directories, .csv, and .ycsb files on the Jenkins controller file system. This issue arises because the plugin does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to exploit this vulnerability. Furthermore, the form validation method does not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins Benchmark Evaluator Plugin versions 1.0.1 and earlier, consider disabling the form validation method temporarily until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of attackers connecting to attacker-specified URLs and checking for file existence on the Jenkins controller file system. Avoid using the plugin's features that do not require POST requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.