Miggo Logo
Miggo Vulnerability Database
CVE-2023-24434

CVE-2023-24434: CSRF vulnerability in Jenkins GitHub Pull Request Builder Plugin

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-24434
GHSA ID
GHSA-m6q8-mwf6-6mmc
EPSS Score
0.46147%
CWE
CWE-352
Published
1/26/2023
Updated
10/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:ghprbmaven<= 1.42.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two flaws explicitly mentioned in SECURITY-2789 (2): 1) Missing permission checks in form validation methods, and 2) Lack of POST request requirements enabling CSRF. While exact function names aren't provided in the advisory, Jenkins plugin security patterns indicate that form validation methods for credential configuration (like test-connection endpoints for external services) would be the attack vector. These methods would typically be named doTest* or doValidate* in Java controllers handling plugin configuration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility in J*nkins *it*u* Pull R*qu*st *uil**r Plu*in *.**.* *n* **rli*r *llows *tt**k*rs to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r-sp**i*i** *r***nti*ls I*s o*t*in** t*rou** *not**r m*t*o*, **pt

Reasoning

T** vuln*r**ility st*ms *rom two *l*ws *xpli*itly m*ntion** in S**URITY-**** (*): *) Missin* p*rmission ****ks in *orm v*li**tion m*t*o*s, *n* *) L**k o* POST r*qu*st r*quir*m*nts *n**lin* *SR*. W*il* *x**t *un*tion n*m*s *r*n't provi*** in t** **vis