CVE-2023-43500
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier lets attackers connect to an arbitrary host and port using attacker-controlled credentials.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in the Jenkins Build Failure Analyzer Plugin versions 2.4.1 and earlier. The plugin does not require a multi-step or confirmation process for actions that initiate connections to external servers, allowing an attacker to craft a malicious request that, when executed by an authenticated user, triggers the plugin to connect to an attacker-specified hostname and port [1][2].
Exploitation
To exploit this vulnerability, an attacker must trick a Jenkins user with sufficient permissions into clicking on a crafted link or visiting a malicious webpage while that user is authenticated to Jenkins. The attack does not require any special privileges beyond the ability to lure a user. The plugin will then attempt to connect to the attacker-defined destination using a username and password also supplied by the attacker [1][3].
Impact
If successful, the attacker can cause the Jenkins server to initiate outbound connections to arbitrary hosts on arbitrary ports, potentially facilitating port scanning, exploitation of internal services, or credential brute-force attacks against systems that accept the attacker-supplied credentials [2]. This could lead to further compromise of the Jenkins environment or adjacent infrastructure.
Mitigation
The vulnerability is fixed in Build Failure Analyzer Plugin version 2.4.2, which includes CSRF protection for this operation [2][3]. Users are strongly advised to update to the latest version. No workaround is mentioned in the advisory.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzerMaven | < 2.4.2 | 2.4.2 |
Affected products
2- Jenkins Project/Jenkins Build Failure Analyzer Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-58rq-69jp-xc23ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43500ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-20/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/20/5ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-20Jenkins Security Advisories · Sep 20, 2023