CVE-2023-50768

Name of the Vulnerable Software and Affected Versions Jenkins Nexus Platform Plugin versions 3.18.0-03 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. The vulnerability is due to the lack of permission checks in methods implementing form validation, which can be exploited by attackers with Overall/Read permission. Additionally, the form validation methods do not require POST requests, further contributing to the CSRF vulnerability.

Recommendations For Jenkins Nexus Platform Plugin versions 3.18.0-03 and earlier, update to version 3.18.1-01 or later, which requires POST requests and Overall/Administer permission for the affected form validation methods, mitigating the CSRF vulnerability. As a temporary workaround, consider restricting access to the form validation methods to users with Overall/Administer permission until a patch is available.