Miggo Logo
Miggo Vulnerability Database
CVE-2023-33004

CVE-2023-33004:
Jenkins Tag Profiler Plugin missing permission check

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-33004
GHSA ID
GHSA-cpc3-gm2x-mrvp
EPSS Score
0.3091%
CWE
CWE-732
Published
5/16/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:tag-profilermaven<= 0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly states an HTTP endpoint with missing permission checks and CSRF vulnerability. In Jenkins plugin architecture:

  1. HTTP endpoints are typically implemented via @WebMethod annotations
  2. Permission checks are normally enforced via Jenkins.get().checkPermission()
  3. CSRF vulnerabilities arise when state-changing operations accept GET requests

While exact implementation details aren't shown, the pattern matches:

  • A handler method for resetting statistics (likely named handleReset/resetStats)
  • Missing checkPermission() call for Overall/Administer
  • Uses @WebMethod without HTTP method restrictions This matches Jenkins' security advisory patterns for similar vulnerabilities.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins T** Pro*il*r Plu*in *.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in *n *TTP *n*point. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to r*s*t pro*il*r st*tisti*s. ***ition*lly, t*is *TTP *n*point *o*s not r*quir* POST r*qu*sts, r

Reasoning

T** **visory *xpli*itly st*t*s *n *TTP *n*point wit* missin* p*rmission ****ks *n* *SR* vuln*r**ility. In J*nkins plu*in *r**it**tur*: *. *TTP *n*points *r* typi**lly impl*m*nt** vi* @W**M*t*o* *nnot*tions *. P*rmission ****ks *r* norm*lly *n*or*** v