GHSA-mjmf-7wjw-f5xx

Source

https://github.com/advisories/GHSA-mjmf-7wjw-f5xx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-mjmf-7wjw-f5xx/GHSA-mjmf-7wjw-f5xx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mjmf-7wjw-f5xx

Aliases

CVE-2023-2631

Published

2023-05-16T21:30:22Z

Modified

2024-12-06T05:47:22.373977Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Jenkins Code Dx Plugin missing permission checks

Details

Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Database specific

{
    "nvd_published_at": "2023-05-16T19:15:09Z",
    "cwe_ids": [],
    "github_reviewed_at": "2023-05-17T17:07:24Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

Maven / org.jenkins-ci.plugins:codedx

Package

Name: org.jenkins-ci.plugins:codedx; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/codedx

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.0

Affected versions

1.*

1.1

1.2

1.3

1.4

1.4.1

2.*

2.0

2.1

2.1.1

2.3

2.4

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-mjmf-7wjw-f5xx/GHSA-mjmf-7wjw-f5xx.json"