CVE-2023-37952
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins mabl Plugin 0.0.46 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins mabl Plugin lets attackers capture credentials by connecting to attacker-controlled URLs with stolen credential IDs.
A cross-site request forgery (CSRF) vulnerability in Jenkins mabl Plugin 0.0.46 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins [1].
To exploit this, an attacker must first obtain valid credential IDs from Jenkins, possibly via another vulnerability. Then, the attacker tricks a Jenkins user with sufficient permissions into clicking a malicious link, causing the plugin to transmit the credentials to the attacker's URL. This attack does not require authentication to the plugin itself, but relies on the victim's authenticated session.
Successful exploitation leads to credential disclosure, which can compromise the Jenkins instance and any systems accessible with those credentials.
The vulnerability is fixed in mabl Plugin version 0.0.47, as announced in the Jenkins security advisory on July 12, 2023 [1][2]. Users should upgrade immediately as no workaround exists.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.mabl.integration.jenkins:mabl-integrationMaven | < 0.0.47 | 0.0.47 |
Affected products
3- Range: <=0.0.46
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-wvgr-5wgr-c6fjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-37952ghsaADVISORY
- www.jenkins.io/security/advisory/2023-07-12/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/07/12/2ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-07-12Jenkins Security Advisories · Jul 12, 2023