CVE-2023-30519
Description
Jenkins Quay.io trigger Plugin 0.1 and earlier lacks a permission check, allowing unauthenticated attackers to trigger builds for arbitrary repositories.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Quay.io trigger Plugin 0.1 and earlier lacks a permission check, allowing unauthenticated attackers to trigger builds for arbitrary repositories.
Vulnerability
Details
CVE-2023-30519 affects the Jenkins Quay.io trigger Plugin version 0.1 and earlier. The plugin contains a missing permission check, allowing unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository [1]. This means no authentication is required to invoke the build trigger functionality.
Exploitation
An attacker with network access to a Jenkins instance running the vulnerable plugin can send crafted requests to trigger builds for any repository they choose. No prior authentication or special privileges are needed [1]. The plugin does not verify that the requester has permission to trigger builds, making the attack straightforward.
Impact
Successful exploitation enables an attacker to cause Jenkins to execute builds for arbitrary repositories. This could lead to resource consumption, disruption of legitimate builds, or execution of malicious pipeline code if the triggered job is configured to run untrusted code [2].
Mitigation
As of the Jenkins Security Advisory 2023-04-12, the Quay.io trigger Plugin is listed among unresolved security issues with no fix available [2]. Users are advised to disable the plugin or restrict network access to the Jenkins instance until a patched version is released.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:quayio-triggerMaven | <= 0.1 | — |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-q2fc-9ww2-ggfjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30519ghsaADVISORY
- www.jenkins.io/security/advisory/2023-04-12/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/04/13/3ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-04-12Jenkins Security Advisories · Apr 12, 2023