GHSA-4gfc-72gw-v385

Suggest an improvement
Source
https://github.com/advisories/GHSA-4gfc-72gw-v385
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-4gfc-72gw-v385/GHSA-4gfc-72gw-v385.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4gfc-72gw-v385
Aliases
Published
2023-12-13T18:31:04Z
Modified
2024-01-02T05:57:47.810129Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Jenkins Nexus Platform Plugin Cross-Site Request Forgery vulnerability
Details

Jenkins Nexus Platform Plugin 3.18.0-03 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Additionally, the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, so attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Nexus Platform Plugin 3.18.1-01 configures its XML parser to prevent XML external entity (XXE) attacks.

Additionally, POST requests and Overall/Administer permission are required for the affected HTTP endpoints.

Database specific
{
    "nvd_published_at": "2023-12-13T18:15:43Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-18T23:39:46Z"
}
References

Affected packages

Maven / org.sonatype.nexus.ci:nexus-jenkins-plugin

Package

Name
org.sonatype.nexus.ci:nexus-jenkins-plugin
View open source insights on deps.dev
Purl
pkg:maven/org.sonatype.nexus.ci/nexus-jenkins-plugin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.18.1-01

Affected versions

1.*

1.2.20170404-163441.794de4c
1.2.20170417-120258.3e88a58
1.2.20170428-142845.cb63c9e
1.2.20170627-094410.1e61c09
1.3.20170728-122322.902d97e
1.4.20170929-233916.04479e6
1.5.20171121-095817.c18bf4f
1.6.20180123-131927.f506018

3.*

3.0.20180214-134325.e135900
3.0.20180425-130011.728733c
3.0.20180531-100044.36b733a
3.1.20180605-140134.c2e96c4
3.1.20180702-132131.f6b4592
3.2.20180724-142843.2f5144d
3.3.20180801-112343.4970c8a
3.3.20180830-142202.6bdf614
3.3.20180912-170211.be90294
3.3.20181025-134249.614c5f4
3.3.20181102-112614.a65c3f1
3.3.20181129-003933.7701a25
3.3.20181207-134824.d240aa3
3.3.20190108-134259.b70ae43
3.4.20190116-104331.e820fec
3.5.20190215-104018.385de7e
3.5.20190313-114450.3bfee7f
3.5.20190422-102004.71358d2
3.5.20190425-152158.c63841b
3.6.20190722-122200.83d1447
3.7.20190823-091836.9f85050
3.8.20190920-091853.5b0aa4e
3.8.20191024-124504.15c0353
3.8.20191127-111424.5d61f82
3.8.20191204-084645.a4bff16
3.8.20191213-085900.c28ded4
3.8.20191216-154521.a7bf2be
3.8.20200204-101107.d1d344b
3.8.20200310-130318.c482b58
3.8.20200619-161058.8d2570f
3.9.20200623-110149.2e546a0
3.9.20200716-164408.7b4a45f
3.9.20200722-164144.e3a1be0
3.9.20201109-154552.99ba8b9
3.9.20201202-140722.b2f0146
3.9.20201203-120425.a87655e
3.9.20201203-135942.e9f4ebc
3.9.20201203-151437.f2f6b16
3.10.20201208-151941.d953318
3.10.20210222-102732.7875f67
3.11.20210301-084816.bd7c972
3.11.20210308-082521.0d183ff
3.11.20210323-112924.daaeac7
3.11.20210420-142258.bdfc332
3.11.20210621-093929.6318134
3.11.20210716-075132.3b66565
3.11.20210716-143001.0533f8f
3.11.20210729-123253.8df0e2b
3.11.20210811-095455.fdf8fec
3.11.20210824-103237.60c1db0
3.11.20210827-120909.86ad130
3.11.20210913-125050.6635ba0
3.11.20210914-082541.6f533b7
3.11.20210915-164919.37a20aa
3.11.20210920-123737.0869e33
3.12.20211019-085324.d8da475
3.12.20211101-111832.dd34097
3.12.20211110-124942.5dc6cea
3.13.398.v0b_eb_22e7a_122
3.13.20211117-154915.1ea721a
3.13.20211118-115856.c81882e
3.13.20211207-082721.a97491c
3.13.20211220-113820.efa5a1c
3.13.20211221-143401.603ba12
3.13.20220120-135049.5ef6fb1
3.13.20220121-112746.aa4474b
3.13.20220121-121645.a0ca2c5
3.13.20220124-164651.0b71b72
3.13.20220124-204320.8222771
3.13.20220201-143240.3d657a5
3.13.20220304-103341.e29a60e
3.13.20220304-155321.e7fcac5
3.14.401.v1311ea_023ce5
3.14.403.v07c2f1f96d60
3.14.405.v74e19a_0b_1a_1a_
3.14.407.v9d113b_445204
3.14.412.v8021dc9cc4ef
3.14.415.v4605773547f3
3.14.418.v7a_687b_6a_4c1d
3.14.424.v8290b_b_ec62cb_
3.14.431.v37ca_dc788b_b_1
3.15.438.vf87a_0dc45166
3.16.444.v52b_e5e2db_503
3.16.449.v50228c7ca_222
3.16.453.v39a_b_a_0401562
3.16.455.vd5654e1c14b_a_
3.16.459.vcdf273b_29f8c
3.16.465.ve8709b_fa_df42
3.16.471.v2dcf088efb_7f
3.16.474.vb_0cdf4908780
3.16.476.v410d6968f400
3.16.478.v41ee37380162
3.16.481.ved9f5106e132
3.16.485.ve2c3a_17ec407
3.16.487.v5d4d3b_6942ee
3.16.489.v7cf06846a_c96
3.16.491.v77a_2f8921c88
3.16.497.vd8491dd15a_8d
3.16.501.ve3d6b_58f1d37
3.16.503.vb_a_7b_10f1c4cf
3.16.506.v3e10c22ddc08
3.16.508.vfc408b_9601f0
3.16.510.v4d23e22cf563
3.17.514.va_6dfca_8a_f7a_c
3.17.518.v9cb_3ff833922