Skip to content

Jenkins Gogs Plugin vulnerable to unsafe default behavior and information disclosure

Moderate severity GitHub Reviewed Published Aug 16, 2023 to the GitHub Advisory Database • Updated Nov 11, 2023

Package

maven org.jenkins-ci.plugins:gogs-webhook (Maven)

Affected versions

<= 1.0.15

Patched versions

None

Description

Jenkins Gogs Plugin provides a webhook endpoint at /gogs-webhook that can be used to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified job name.

Additionally, the output of the webhook endpoint includes whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it.

As of publication of this advisory, there is no fix.

References

Published by the National Vulnerability Database Aug 16, 2023
Published to the GitHub Advisory Database Aug 16, 2023
Reviewed Aug 16, 2023
Last updated Nov 11, 2023

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Weaknesses

No CWEs

CVE ID

CVE-2023-40348

GHSA ID

GHSA-qxwc-wchr-5h29

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.