ghsa-mjmf-7wjw-f5xx
Vulnerability from github
Published
2023-05-16 21:30
Modified
2023-05-17 17:07
Severity
Summary
Jenkins Code Dx Plugin missing permission checks
Details
Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.jenkins-ci.plugins:codedx" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "4.0.0" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-2631" ], "database_specific": { "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2023-05-17T17:07:24Z", "nvd_published_at": "2023-05-16T19:15:09Z", "severity": "MODERATE" }, "details": "Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.\n\nThis allows attackers with Overall/Read permission to connect to an attacker-specified URL.\n\nAdditionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.\n\nCode Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.", "id": "GHSA-mjmf-7wjw-f5xx", "modified": "2023-05-17T17:07:24Z", "published": "2023-05-16T21:30:22Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2631" }, { "type": "WEB", "url": "https://github.com/jenkinsci/codedx-plugin/commit/0214f30488ea8481f01e4b14a861e13d75bebb8b" }, { "type": "WEB", "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3118" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "type": "CVSS_V3" } ], "summary": "Jenkins Code Dx Plugin missing permission checks" }
Loading...