CVE-2023-24459
Description
A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing permission check in Jenkins BearyChat Plugin 3.0.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
Vulnerability
Overview
Jenkins BearyChat Plugin 3.0.2 and earlier does not perform a permission check in an unspecified function, allowing attackers with only Overall/Read permission to trigger a connection to a URL of the attacker's choosing [1][2]. This missing permission check means that any user who can read the Jenkins controller can abuse this functionality, bypassing the intended authorization controls.
Exploitation and
Attack Surface
The issue is exposed to any Jenkins user who holds the Overall/Read permission, which is often granted to a broad set of users. No additional privileges are required. An attacker can supply an arbitrary URL (e.g., to a malicious web server) that the plugin will connect to when the vulnerable endpoint is invoked. This may allow the attacker to exfiltrate information (such as Jenkins internal hostname or environment details) via the connection attempt, or to induce the Jenkins controller to interact with external systems without proper validation [1].
Impact
Successfully exploiting this flaw enables an attacker to force the Jenkins controller to initiate an HTTP(S) request to an attacker-specified URL. While the advisory does not detail a direct remote code execution, the SSRF-like behavior can be used for reconnaissance, scanning internal network resources from the Jenkins controller's perspective, or potentially leveraging the connection in further attacks [1][2]. The impact is limited by the fact that the plugin does not return the response content to the attacker directly, but the outbound connection itself can be observed or exploited.
Mitigation
The official Jenkins security advisory released on 2023-01-24 confirms this vulnerability and recommends upgrading to a patched version. As of the advisory, no fix was announced for BearyChat Plugin; users are advised to limit the Overall/Read permission or remove the plugin if not needed [1]. The CVE has a CVSS score of 5.3 (Medium) according to NVD [2], and there is no known evidence of active exploitation in the wild at the time of publication.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:bearychatMaven | <= 3.0.2 | — |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-67w4-w877-jv29ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-24459ghsaADVISORY
- www.jenkins.io/security/advisory/2023-01-24/ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-01-24Jenkins Security Advisories · Jan 24, 2023