CVE-2023-40348

Name of the Vulnerable Software and Affected Versions Jenkins Gogs Plugin versions 1.0.15 and earlier

Description The webhook endpoint in Jenkins Gogs Plugin provides unauthenticated attackers with information about the existence of jobs in its output. This endpoint, located at "/gogs-webhook", can be used to trigger builds of jobs and includes an option to specify a Gogs secret, although this option is not enabled by default. The output of the webhook endpoint reveals whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it.

Recommendations As a temporary workaround, consider disabling the webhook endpoint at "/gogs-webhook" until a patch is available. Restrict access to the Jenkins Gogs Plugin to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.