CVE-2023-49674

Name of the Vulnerable Software and Affected Versions Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. The connection test HTTP endpoint is vulnerable, and it does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Recommendations For Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier, consider upgrading to version 2.2 or later, which requires POST requests and Overall/Administer permission for the affected HTTP endpoint. As a temporary workaround, restrict access to the connection test HTTP endpoint to minimize the risk of exploitation. Avoid using the username and password variables in the affected endpoint until the issue is resolved.