Miggo Logo

CVE-2023-30522: Jenkins Fogbugz Plugin has missing permissions check

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.0795%
Published
4/12/2023
Updated
4/21/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:fogbugzmaven<= 2.2.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions an unprotected webhook endpoint at /fbTrigger/ that allows triggering builds with only Item/Read permission. In Jenkins plugin architecture:

  1. Web endpoints are typically implemented via do* methods in Action classes
  2. The missing permission check suggests absence of required authorization calls like Jenkins.get().checkPermission(Item.BUILD)
  3. The 'jobname' parameter handling indicates a function processing HTTP parameters to resolve and trigger jobs
  4. The CWE-862 classification confirms this is an authorization layer omission in the endpoint handler

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *o**u*z Plu*in provi**s * w***ook *n*point *t `/**Tri***r/` t**t **n ** us** to tri***r *uil*s o* *ny jo*s. In *o**u*z Plu*in *.*.** *n* **rli*r, t*is *n*point **n ** ****ss** *y *tt**k*rs wit* It*m/R*** p*rmission, *llowin* t**m to tri***r

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions *n unprot**t** w***ook *n*point *t /**Tri***r/ t**t *llows tri***rin* *uil*s wit* only It*m/R*** p*rmission. In J*nkins plu*in *r**it**tur*: *. W** *n*points *r* typi**lly impl*m*nt** vi* *o* m*t*o*s
CVE-2023-30522: Jenkins Fogbugz Build Trigger | Miggo