CVE-2023-32998: Jenkins AppSpider Plugin Cross-Site Request Forgery vulnerability
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.56707%
CWE
Published
5/16/2023
Updated
11/6/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| com.rapid7:jenkinsci-appspider-plugin | maven | <= 1.0.15 | 1.0.16 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from a form validation method that: 1) Lacked permission checks (allowing Overall/Read users to execute it) 2) Did not require POST requests (enabling CSRF). Jenkins plugins typically implement form validation methods using doCheck* patterns in Descriptor classes. The advisory specifically mentions 'a method implementing form validation' related to server connectivity and credential submission, which matches the pattern of URL validation methods in Jenkins builders. The patched version added POST requirement and admin permissions, confirming this was the attack vector.