CVE-2023-30529
Description
Jenkins Lucene-Search Plugin lacks POST requirement for an HTTP endpoint, enabling unauthenticated attackers to trigger a database reindex.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Lucene-Search Plugin lacks POST requirement for an HTTP endpoint, enabling unauthenticated attackers to trigger a database reindex.
Vulnerability
Description
The Jenkins Lucene-Search Plugin versions 387.v938a_ecb_f7fe9 and earlier contain a missing HTTP method restriction vulnerability. The plugin exposes an endpoint for triggering a database reindex operation, but it does not require POST requests, allowing GET requests to invoke the action [1][3]. The root cause is the absence of the @RequirePOST annotation on the doPostRebuildDatabase method, as shown in the fix commit [4].
Exploitation
An attacker can exploit this vulnerability by sending a simple GET request to the vulnerable endpoint without any authentication or special privileges. The only prerequisite is network access to a Jenkins instance running the affected plugin. No user interaction or prior knowledge is required [1][3].
Impact
Successful exploitation allows an attacker to trigger a reindex of the Lucene search database. While this does not directly expose sensitive data, it can cause significant performance degradation or a denial-of-service condition by repeatedly forcing reindex operations, potentially disrupting normal Jenkins operations [1][3].
Mitigation
The Jenkins Security Advisory 2023-04-12 lists this plugin as unresolved, meaning no official fix was released at that time [1]. However, a commit in the plugin's repository adds the @RequirePOST annotation to the vulnerable method, which would prevent GET-based exploitation [4]. Users should update to a version containing this fix once available, or alternatively restrict network access to the Jenkins instance and monitor for unusual reindex activity.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:lucene-searchMaven | < 398.v3dfa_cb_223984 | 398.v3dfa_cb_223984 |
Affected products
2- Range: 0
Patches
2ffd691642b8dMerge pull request #64 from tdraebing/security-3013
3 files changed · +6 −4
.github/release-drafter.yml+0 −1 removed@@ -1 +0,0 @@ -_extends: .github
src/main/java/org/jenkinsci/plugins/lucene/search/management/LuceneManager.java+2 −0 modified@@ -12,6 +12,7 @@ import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.bind.JavaScriptMethod; +import org.kohsuke.stapler.interceptor.RequirePOST; import javax.inject.Inject; import javax.servlet.ServletException; @@ -82,6 +83,7 @@ private boolean checkJobNames(Set<String> jobs) { return size == 0; } + @RequirePOST public void doPostRebuildDatabase(StaplerRequest req, StaplerResponse rsp, @QueryParameter int workers) throws IOException, ServletException { writeStatus(rsp, rebuildDatabase(workers, "", "overwrite"));
src/test/java/org/jenkinsci/plugins/lucene/search/databackend/JenkinsSearchBackend.java+4 −3 modified@@ -40,9 +40,10 @@ public Search.Result search(String query) throws IOException, SAXException { } public LuceneManager.JSReturnCollection getRebuildStatus(URL url) throws IOException { - String jsonString = Resources.toString(url, Charset.defaultCharset()); - return (LuceneManager.JSReturnCollection) JSONObject.fromObject(jsonString).toBean( - LuceneManager.JSReturnCollection.class); + JenkinsRule.WebClient wc = rule.createWebClient(); + String jsonString = wc.postJSON(url.toString(), new JSONObject()).getContentAsString(); + return (LuceneManager.JSReturnCollection) + JSONObject.fromObject(jsonString).toBean(LuceneManager.JSReturnCollection.class); } public ExecutorService getBackgroundWorker() {
828f79fedbe3Require POST request for triggering reindexing
3 files changed · +6 −4
.github/release-drafter.yml+0 −1 removed@@ -1 +0,0 @@ -_extends: .github
src/main/java/org/jenkinsci/plugins/lucene/search/management/LuceneManager.java+2 −0 modified@@ -12,6 +12,7 @@ import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; import org.kohsuke.stapler.bind.JavaScriptMethod; +import org.kohsuke.stapler.interceptor.RequirePOST; import javax.inject.Inject; import javax.servlet.ServletException; @@ -82,6 +83,7 @@ private boolean checkJobNames(Set<String> jobs) { return size == 0; } + @RequirePOST public void doPostRebuildDatabase(StaplerRequest req, StaplerResponse rsp, @QueryParameter int workers) throws IOException, ServletException { writeStatus(rsp, rebuildDatabase(workers, "", "overwrite"));
src/test/java/org/jenkinsci/plugins/lucene/search/databackend/JenkinsSearchBackend.java+4 −3 modified@@ -40,9 +40,10 @@ public Search.Result search(String query) throws IOException, SAXException { } public LuceneManager.JSReturnCollection getRebuildStatus(URL url) throws IOException { - String jsonString = Resources.toString(url, Charset.defaultCharset()); - return (LuceneManager.JSReturnCollection) JSONObject.fromObject(jsonString).toBean( - LuceneManager.JSReturnCollection.class); + JenkinsRule.WebClient wc = rule.createWebClient(); + String jsonString = wc.postJSON(url.toString(), new JSONObject()).getContentAsString(); + return (LuceneManager.JSReturnCollection) + JSONObject.fromObject(jsonString).toBean(LuceneManager.JSReturnCollection.class); } public ExecutorService getBackgroundWorker() {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gh5w-gffh-68prghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30529ghsaADVISORY
- www.jenkins.io/security/advisory/2023-04-12/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/04/13/3ghsaWEB
- github.com/jenkinsci/lucene-search-plugin/commit/828f79fedbe3da08b17937a85b98b5d7f499a8ddghsaWEB
- github.com/jenkinsci/lucene-search-plugin/commit/ffd691642b8dda63b55cfc7e73993336554dbcb2ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-04-12Jenkins Security Advisories · Apr 12, 2023