CVE-2023-32998

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins AppSpider Plugin versions 1.0.15 and earlier. The plugin does not require a unique token or multi-step confirmation for certain state-changing actions, allowing an attacker to trick a legitimate Jenkins user into unknowingly executing requests. The root cause is the absence of CSRF protection on a form validation or configuration endpoint.

To exploit this vulnerability, an attacker must convince a Jenkins user with appropriate permissions to visit a malicious page while they are authenticated to Jenkins. No additional authentication is required from the attacker beyond crafting a crafted link or hosting a page that automatically triggers the request. The affected endpoint accepts an attacker-specified URL, and an HTTP POST request with a JSON payload containing attacker-controlled credentials is sent to that URL [1][2].

Successful exploitation allows an attacker to make the Jenkins server connect to any attacker-chosen URL and send a POST request with arbitrary JSON credentials. This could be used to exfiltrate data to an attacker-controlled server, probe internal network resources, or perform actions on other systems using the Jenkins server's identity and trust [1][2].

The vulnerability is fixed in AppSpider Plugin version 1.0.16. Users are advised to upgrade immediately. No workarounds are provided; the Jenkins security advisory recommends applying the update as soon as possible [1].