7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-50766

GHSA ID

GHSA-4gfc-72gw-v385

EPSS Score

0.21593%

CWE

CWE-352

Published

12/13/2023

Updated

12/18/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-50766

CVE-2023-50766: Jenkins Nexus Platform Plugin Cross-Site Request Forgery vulnerability

Jenkins Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, so attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Overall/Administer permission are required for the affected HTTP endpoints.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-50766

CVE-2023-50766:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-50766

GHSA ID

GHSA-4gfc-72gw-v385

EPSS Score

0.21593%

CWE

CWE-352

Published

12/13/2023

Updated

12/18/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.sonatype.nexus.ci:nexus-jenkins-plugin	maven	< 3.18.1-01	3.18.1-01

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from form validation methods that: 1) Did not require POST requests (CSRF vector), 2) Lacked Jenkins.ADMINISTER permission checks (allowing Overall/Read users to trigger actions), and 3) Processed external XML responses without XXE protection. The commit diff explicitly shows these methods were modified by adding @POST annotations and permission checks, confirming their pre-patch vulnerable state. The affected methods handle HTTP endpoints for configuration validation and credential verification, which when unprotected, allowed attackers to trigger malicious XML parsing and credential leaks via CSRF.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-50766: Jenkins Nexus Platform Plugin Cross-Site Request Forgery vulnerability

CVE-2023-50766:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

7.1

7.1

Technical Details

CVE-2023-50766: Jenkins Nexus Platform Plugin Cross-Site Request Forgery vulnerability

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI