CVE-2023-30521 – org.jenkins-ci.plugins:assembla-merge-request-builder

Package

Manager: maven
Name: org.jenkins-ci.plugins:assembla-merge-request-builder
Vulnerable Version: >=0 <=1.1.13

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00088 pctl0.26188

Details

Jenkins Assembla merge request builder Plugin missing authentication to access endpoint Jenkins Assembla merge request builder Plugin provides a webhook endpoint at `/assembla-webhook/` that can be used to trigger builds of jobs configured to use a specified repository. In Assembla merge request builder Plugin 1.1.13 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

Metadata

Created: 2023-04-12T18:30:36Z
Modified: 2023-04-21T17:52:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-jr86-6j4j-mv45/GHSA-jr86-6j4j-mv45.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-jr86-6j4j-mv45
Finding: F039
Auto approve: 1