CVE-2023-37955
Description
CSRF vulnerability in Jenkins Test Results Aggregator Plugin allows attackers to connect to attacker-specified URL using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Jenkins Test Results Aggregator Plugin allows attackers to connect to attacker-specified URL using attacker-specified credentials.
Summary
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Test Results Aggregator Plugin version 1.2.13 and earlier. The plugin's doTestApiConnection form validation method lacked proper CSRF protection, allowing attackers to forge requests on behalf of an authenticated administrator.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious web page or link that, when visited by an authenticated Jenkins administrator, triggers a forged POST request to the plugin's endpoint. The request can specify an arbitrary URL, username, and password, which the plugin will then use to attempt a connection. The fix, as shown in commit [4], adds @RequirePOST annotation and a permission check for Jenkins.ADMINISTER, but as of the advisory, no official release containing the fix has been published.
Impact
Successful exploitation allows the attacker to make the Jenkins controller connect to an attacker-controlled server using credentials of the attacker's choice. This could lead to credential harvesting (if the server logs the credentials) or be used as a vector for further attacks, though the direct impact is limited to the connection attempt and potential exposure of those credentials.
Mitigation
As per the Jenkins Security Advisory [1] and the oss-security announcement [2], the vulnerability is acknowledged but no fixed version has been released as of July 2023. The plugin is listed as having an unresolved security issue. Administrators are advised to restrict access to the plugin's functionality or disable the plugin if possible, until a patched version becomes available.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:test-results-aggregatorMaven | < 1.2.16 | 1.2.16 |
Affected products
2Patches
17dc29066d70aFIX : SECURITY-3122
1 file changed · +5 −0
src/main/java/com/jenkins/testresultsaggregator/TestResultsAggregator.java+5 −0 modified@@ -20,6 +20,7 @@ import org.kohsuke.stapler.DataBoundSetter; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.interceptor.RequirePOST; import com.google.common.base.Strings; import com.jenkins.testresultsaggregator.data.Aggregated; @@ -49,6 +50,7 @@ import hudson.util.FormValidation; import hudson.util.Secret; import hudson.util.VariableResolver; +import jenkins.model.Jenkins; import jenkins.tasks.SimpleBuildStep; import net.sf.json.JSONObject; @@ -385,7 +387,10 @@ public FormValidation doCheckOutOfDateResults(@QueryParameter final String outOf } } + @RequirePOST public FormValidation doTestApiConnection(@QueryParameter final String jenkinsUrl, @QueryParameter final String username, @QueryParameter final Secret password) { + // https://www.jenkins.io/doc/developer/security/form-validation/ + Jenkins.get().checkPermission(Jenkins.ADMINISTER); try { new Collector(null, username, password, jenkinsUrl).getAPIConnection(); return FormValidation.ok(LocalMessages.SUCCESS.toString());
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8gc7-whph-rx5qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-37955ghsaADVISORY
- www.jenkins.io/security/advisory/2023-07-12/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/07/12/2ghsaWEB
- github.com/jenkinsci/test-results-aggregator-plugin/commit/7dc29066d70af52cb3aa143783e8d2cb863fa4f7ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-07-12Jenkins Security Advisories · Jul 12, 2023