CVE-2023-24434
Description
A CSRF vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using credentials obtained through another method, leading to credential capture.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using credentials obtained through another method, leading to credential capture.
Vulnerability
Analysis
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins GitHub Pull Request Builder Plugin version 1.42.2 and earlier [1][2]. The root cause is the absence of CSRF protection, enabling an attacker to forge requests on behalf of a legitimate user [1].
Attack
Vector
An attacker can exploit this vulnerability by tricking an authenticated Jenkins user into clicking a crafted link or visiting a malicious page [1]. The attacker must first obtain valid credential IDs through a separate method (e.g., another vulnerability or information disclosure) [2]. With these IDs, a forged request can trigger the plugin to connect to an attacker-controlled URL using those credentials [1][2].
Impact
Successful exploitation allows the attacker to capture credentials stored in Jenkins by redirecting them to an attacker-specified URL [1][2]. The attacker gains unauthorized access to sensitive credentials, which can be used for further attacks within the Jenkins environment [1].
Mitigation
Jenkins has addressed this vulnerability in the GitHub Pull Request Builder Plugin by implementing CSRF protection [1]. Users should upgrade to a version containing the fix to prevent exploitation [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:ghprbMaven | <= 1.42.2 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4News mentions
1- Jenkins Security Advisory 2023-01-24Jenkins Security Advisories · Jan 24, 2023