GHSA-mjmf-7wjw-f5xx

Suggest an improvement
Source
https://github.com/advisories/GHSA-mjmf-7wjw-f5xx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-mjmf-7wjw-f5xx/GHSA-mjmf-7wjw-f5xx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mjmf-7wjw-f5xx
Aliases
  • CVE-2023-2631
Published
2023-05-16T21:30:22Z
Modified
2024-02-16T08:17:29.783947Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Jenkins Code Dx Plugin missing permission checks
Details

Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

References

Affected packages

Maven / org.jenkins-ci.plugins:codedx

Package

Name
org.jenkins-ci.plugins:codedx
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/codedx

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.0

Affected versions

1.*

1.1
1.2
1.3
1.4
1.4.1

2.*

2.0
2.1
2.1.1
2.3
2.4
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.1.0