Miggo Logo

CVE-2023-37956:
Jenkins Test Results Aggregator Plugin missing permission check

6.5

CVSS Score

Basic Information

EPSS Score
-
Published
7/12/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:test-results-aggregatormaven<= 1.2.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability centers on an HTTP endpoint handling form validation (likely doCheck* method pattern in Jenkins plugins) that: 1. Lacks permission checks beyond Overall/Read 2. Accepts non-POST requests. The descriptor class is the standard location for form validation methods in Jenkins plugins. The 'doCheckUrl' naming follows Jenkins' convention for connection validation endpoints. The combination of missing authorization check and CSRF vulnerability matches the pattern of unsecured doCheck* methods in Jenkins descriptors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins T*st R*sults ***r***tor Plu*in *.*.** *n* **rli*r *o*s not p*r*orm * p*rmission ****k in *n *TTP *n*point impl*m*ntin* *orm v*li**tion. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** URL usin* *tt**k*r

Reasoning

T** vuln*r**ility **nt*rs on *n *TTP *n*point **n*lin* *orm v*li**tion (lik*ly *o****k* m*t*o* p*tt*rn in J*nkins plu*ins) t**t: *. L**ks p*rmission ****ks **yon* Ov*r*ll/R*** *. ****pts non-POST r*qu*sts. T** **s*riptor *l*ss is t** st*n**r* lo**tio