CVE-2023-37956:
Jenkins Test Results Aggregator Plugin missing permission check
6.5
CVSS ScoreBasic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
7/12/2023
Updated
11/7/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:test-results-aggregator | maven | <= 1.2.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on an HTTP endpoint handling form validation (likely doCheck* method pattern in Jenkins plugins) that: 1. Lacks permission checks beyond Overall/Read 2. Accepts non-POST requests. The descriptor class is the standard location for form validation methods in Jenkins plugins. The 'doCheckUrl' naming follows Jenkins' convention for connection validation endpoints. The combination of missing authorization check and CSRF vulnerability matches the pattern of unsecured doCheck* methods in Jenkins descriptors.