4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-43501

GHSA ID

GHSA-55q6-r3hm-7ff4

EPSS Score

0.0912%

CWE

CWE-862

Published

9/20/2023

Updated

1/4/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-43501

CVE-2023-43501: Jenkins Build Failure Analyzer Plugin missing permission check

Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not perform a permission check in a connection test HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Build Failure Analyzer Plugin 2.4.2 requires POST requests and Overall/Administer permission for the affected HTTP endpoint.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-43501

GHSA ID

GHSA-55q6-r3hm-7ff4

EPSS Score

0.0912%

CWE

CWE-862

Published

9/20/2023

Updated

1/4/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer	maven	< 2.4.2	2.4.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two flaws in the connection test endpoint: 1) Missing Jenkins.ADMINISTER permission check (CWE-862), and 2) Lack of POST method enforcement (enabling CSRF). The commit a261229 shows the fix added both the permission check and @POST annotation to doTestConnection. The testConnection handler in MongoDBKnowledgeBase.java was the affected endpoint, as confirmed by security tests in CauseManagementPermissionTest.java that validate() POST enforcement and admin requirements post-fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *uil* **ilur* *n*lyz*r Plu*in *.*.* *n* **rli*r *o*s not p*r*orm * p*rmission ****k in * *onn**tion t*st *TTP *n*point. T*is *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** *ostn*m* *n* port usin* *tt**k*r-s

Reasoning

T** vuln*r**ility st*ms *rom two *l*ws in t** *onn**tion t*st *n*point: *) Missin* `J*nkins.**MINIST*R` p*rmission ****k (*W*-***), *n* *) L**k o* `POST` m*t*o* *n*or**m*nt (*n**lin* *SR*). T** *ommit `*******` s*ows t** *ix ***** *ot* t** p*rmission

4.3

Basic Information

Concerned about an active attack path?

CVE-2023-43501: Jenkins Build Failure Analyzer Plugin missing permission check

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI