CVE-2023-43501

Name of the Vulnerable Software and Affected Versions Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier

Description A missing permission check in the Jenkins Build Failure Analyzer Plugin allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. This issue also results in a cross-site request forgery (CSRF) vulnerability due to the lack of requirement for POST requests in a connection test HTTP endpoint.

Recommendations For Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier, update to version 2.4.2 or later, which requires POST requests and Overall/Administer permission for the affected HTTP endpoint, thus mitigating the issue. As a temporary workaround, consider restricting access to the connection test HTTP endpoint to minimize the risk of exploitation.