CVE-2023-40349

Name of the Vulnerable Software and Affected Versions Jenkins Gogs Plugin versions 1.0.15 and earlier

Description The Jenkins Gogs Plugin improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs. The plugin provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In versions 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default. This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified job name. Additionally, the output of the webhook endpoint includes whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it.

Recommendations As a temporary workaround, consider disabling the webhook endpoint at /gogs-webhook until a patch is available. Restrict access to the Jenkins Gogs Plugin to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.