Cross-Site Request Forgery in Jenkins Build Failure Analyzer Plugin
CVE-2023-43502

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Build Failure Analyzer Plugin
Vendor: CVE Published:; 20 September 2023

Summary

A significant CSRF vulnerability exists in Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier. This flaw allows malicious actors to perform unauthorized actions, specifically enabling them to delete Failure Causes without the victim's consent. By exploiting this vulnerability, an attacker could lead to unwanted configurations and potential disruptions within the Jenkins environment, thereby compromising the overall integrity of the system.

Affected Version(s)

Jenkins Build Failure Analyzer Plugin 0 <= 2.4.1

References

https://www.jenkins.io/security/advisory/2023-09-20/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/20/5

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Sep 19, 2023