CVE-2023-40349
Description
Jenkins Gogs Plugin 1.0.15 and earlier fails to properly secure its webhook endpoint, allowing unauthenticated attackers to trigger job builds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Gogs Plugin 1.0.15 and earlier fails to properly secure its webhook endpoint, allowing unauthenticated attackers to trigger job builds.
Jenkins Gogs Plugin versions 1.0.15 and earlier improperly initialize an option meant to secure the webhook endpoint, leaving it unprotected [1][3]. This flaw allows any unauthenticated attacker with network access to the Jenkins instance to trigger builds of jobs configured to use the Gogs plugin [1][2].
By simply sending a request to the webhook endpoint, an attacker can cause arbitrary builds to be triggered without any authentication [2]. This can lead to unauthorized execution of build steps, potentially consuming resources or exposing sensitive data if the build process is misused.
As of the advisory date, the vulnerability remains unresolved in the Gogs Plugin [2]. Users are advised to disable the plugin or restrict network access to the Jenkins instance until a fix is available [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:gogs-webhookMaven | <= 1.0.15 | — |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-rc33-44qp-vpvqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-40349ghsaADVISORY
- www.jenkins.io/security/advisory/2023-08-16/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/08/16/3ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-08-16Jenkins Security Advisories · Aug 16, 2023