CVE-2023-32980
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Email Extension Plugin allows attackers to make another user stop watching an attacker-specified job.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Email Extension Plugin CSRF allows attackers to trick users into un-watching a specified job.
Vulnerability
Jenkins Email Extension Plugin has a cross-site request forgery (CSRF) vulnerability. This allows an attacker to perform actions on behalf of another user without their consent, specifically to make that user stop watching an attacker-specified job. The issue stems from insufficient CSRF protection in the plugin's endpoints.
Attack
Vector Exploitation requires an authenticated user to visit a malicious page crafted by the attacker. The attacker must specify the target job that the victim should stop watching. No additional privileges are needed beyond the victim's existing permissions in Jenkins.
Impact
An attacker can cause a victim to unknowingly cease monitoring a job, which could lead to missed build failures or other events. This disrupts the user's workflow and may delay incident response.
Mitigation
The Jenkins project has addressed this vulnerability in a security advisory [1]. Users should update the Email Extension Plugin to the latest version. No workarounds are mentioned.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:email-extMaven | < 2.96.1 | 2.96.1 |
Affected products
2- Jenkins Project/Jenkins Email Extension Pluginv5Range: 2.96.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2f89-66v2-9p53ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32980ghsaADVISORY
- www.jenkins.io/security/advisory/2023-05-16/ghsavendor-advisoryWEB
News mentions
1- Jenkins Security Advisory 2023-05-16Jenkins Security Advisories · May 16, 2023