Miggo Logo
Miggo Vulnerability Database
CVE-2023-32998

CVE-2023-32998: Jenkins AppSpider Plugin Cross-Site Request Forgery vulnerability

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-32998
GHSA ID
GHSA-vgfw-766v-7q82
EPSS Score
0.56707%
CWE
CWE-352
Published
5/16/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.rapid7:jenkinsci-appspider-pluginmaven<= 1.0.151.0.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a form validation method that: 1) Lacked permission checks (allowing Overall/Read users to execute it) 2) Did not require POST requests (enabling CSRF). Jenkins plugins typically implement form validation methods using doCheck* patterns in Descriptor classes. The advisory specifically mentions 'a method implementing form validation' related to server connectivity and credential submission, which matches the pattern of URL validation methods in Jenkins builders. The patched version added POST requirement and admin permissions, confirming this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**ility in J*nkins *ppSpi**r Plu*in *.*.** *n* **rli*r *llows *tt**k*rs to *onn**t to *n *tt**k*r-sp**i*i** URL *n* s*n* *n *TTP POST r*qu*st wit* * JSON p*ylo** *onsistin* o* *tt**k*r-sp**i*i** *r***nti*ls.

Reasoning

T** vuln*r**ility st*ms *rom * *orm `v*li**tion` m*t*o* t**t: *) L**k** p*rmission ****ks (*llowin* Ov*r*ll/R*** us*rs to *x**ut* it) *) *i* not r*quir* `POST` r*qu*sts (*n**lin* *SR*). `J*nkins` plu*ins typi**lly impl*m*nt *orm `v*li**tion` m*t*o*s