CVE-2023-24452

A cross-site request forgery (CSRF) vulnerability exists in Jenkins TestQuality Updater Plugin versions 1.3 and earlier. The plugin fails to properly validate requests, allowing attackers to trick authenticated Jenkins users into inadvertently making requests that connect to an attacker-specified URL using attacker-controlled username and password credentials [1][2].

Exploitation requires the attacker to craft a malicious web page or link that, when visited by a Jenkins user with sufficient permissions, triggers a forged request. No authentication is needed for the attacker; they rely on the victim's authenticated session with the Jenkins instance. The attacker can specify both the target URL and the credentials used for the connection [2].

Successful exploitation enables the attacker to force the Jenkins server to initiate connections to arbitrary external servers using credentials of the attacker's choosing. This could be used to exfiltrate data, perform further attacks, or leverage Jenkins as a proxy to interact with third-party services [1][2].

The vulnerability has been addressed in subsequent versions of the plugin. Users are advised to update to a fixed version as per the Jenkins security advisory. No workarounds are documented, so applying the plugin update is the recommended mitigation [1].