CVE-2023-32999

Published: May 16, 2023Modified: Jan 23, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

Affected (1)

Products: Jenkins: Appspider

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Appspider	Up to 1.0.15

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (2)

https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.