CVE-2023-49673

Name of the Vulnerable Software and Affected Versions Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier

Description A cross-site request forgery (CSRF) vulnerability exists due to the lack of permission checks in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. This endpoint also does not require POST requests, further contributing to the vulnerability.

Recommendations For Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier, consider updating to version 2.2 or later, which requires POST requests and Overall/Administer permission for the affected HTTP endpoint, thus mitigating the issue. As a temporary workaround, restrict access to the connection test HTTP endpoint to minimize the risk of exploitation.