CVE-2023-4301

Name of the Vulnerable Software and Affected Versions Jenkins Fortify Plugin versions 22.1.38 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. The issue is related to insufficient authentication checks for executed requests. Attackers with Overall/Read permission can exploit this vulnerability, and the affected HTTP endpoints do not require POST requests, making them vulnerable to CSRF attacks.

Recommendations For Jenkins Fortify Plugin versions 22.1.38 and earlier, update to version 22.2.39 or later, which requires POST requests and the appropriate permissions for the affected HTTP endpoints. As a temporary workaround, consider restricting access to the affected HTTP endpoints to minimize the risk of exploitation.