Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcjg2LTZqNGotbXY0Nc4AAyuS
Jenkins Assembla merge request builder Plugin missing authentication to access endpoint
Jenkins Assembla merge request builder Plugin provides a webhook endpoint at /assembla-webhook/ that can be used to trigger builds of jobs configured to use a specified repository.
In Assembla merge request builder Plugin 1.1.13 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.
Permalink: https://github.com/advisories/GHSA-jr86-6j4j-mv45JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcjg2LTZqNGotbXY0Nc4AAyuS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-jr86-6j4j-mv45, CVE-2023-30521
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-30521
- https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2872
- http://www.openwall.com/lists/oss-security/2023/04/13/3
- https://github.com/advisories/GHSA-jr86-6j4j-mv45
Affected Packages
maven:org.jenkins-ci.plugins:assembla-merge-request-builder
Affected Version Ranges: <= 1.1.13No known fixed version