CVE-2023-30522

The Fogbugz Plugin for Jenkins lacks a permission check when processing requests to trigger builds. This allows an attacker with Item/Read permission to specify a job via the 'jobname' request parameter and trigger a build of that job, even without the necessary Build or Run permissions [1].\n\nAn attacker only needs Item/Read permission, a low-level permission often granted to many users. They can send a crafted HTTP request to the plugin's endpoint, setting the 'jobname' parameter to any job on the Jenkins instance. No further authentication is required. This can be done remotely if the Jenkins instance is network-accessible [3].\n\nThe impact includes unauthorized triggering of builds, potentially leading to resource exhaustion, disruption of pipeline execution, or triggering downstream actions that could have security implications. This vulnerability is rated as medium severity [1].\n\nThe vulnerability affects Fogbugz Plugin version 2.2.17 and earlier. As of the advisory, no fix has been released; the plugin is listed as unresolved. Mitigations include restricting Item/Read permissions or removing the plugin if not essential. Users should monitor for updates from the Jenkins project [1][3].