CVE-2023-32999
Description
A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins AppSpider Plugin 1.0.15 and earlier lacks a permission check, allowing attackers with Overall/Read to send attacker-specified POST requests to arbitrary URLs.
Vulnerability
CVE-2023-32999 is a missing permission check in the Jenkins AppSpider Plugin, versions 1.0.15 and earlier. The plugin fails to properly verify that a user has the required permissions before allowing certain actions, meaning that any user holding the Overall/Read permission can trigger functionality that should require higher privileges.
Exploitation
An attacker with only Overall/Read access can exploit this flaw to send an HTTP POST request to an attacker-specified URL [1][2]. The request carries a JSON payload containing attacker-controlled credentials. This effectively allows the attacker to use the Jenkins server as a proxy for outbound HTTP requests, as the Jenkins server will initiate the connection.
Impact
Successful exploitation enables an attacker to perform server-side request forgery (SSRF) attacks, potentially reaching internal network resources or external systems. The attacker can also inject arbitrary credentials, which could be used for phishing, credential stuffing, or accessing third-party services impersonating the Jenkins instance [2].
Mitigation
The vulnerability is fixed in AppSpider Plugin versions after 1.0.15 [1]. Users should upgrade to the latest available version. No workaround is mentioned, but as a general measure, restricting the Overall/Read permission to trusted users can reduce the attack surface.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.rapid7:jenkinsci-appspider-pluginMaven | < 1.0.16 | 1.0.16 |
Affected products
3<=1.0.15+ 1 more
- (no CPE)range: <=1.0.15
- (no CPE)range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2c5c-fhr8-pwh9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32999ghsaADVISORY
- www.jenkins.io/security/advisory/2023-05-16/ghsavendor-advisoryWEB
News mentions
1- Jenkins Security Advisory 2023-05-16Jenkins Security Advisories · May 16, 2023