VYPR
← All advisories
High severityNVD Advisory· Published Dec 13, 2023· Updated Feb 13, 2025

CVE-2023-50766

CVE-2023-50766

Description

Jenkins Nexus Platform Plugin 3.18.0-03 and earlier is vulnerable to CSRF, allowing an attacker to send HTTP requests to an arbitrary URL and parse the response as XML.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Nexus Platform Plugin 3.18.0-03 and earlier is vulnerable to CSRF, allowing an attacker to send HTTP requests to an arbitrary URL and parse the response as XML.

Vulnerability

Description A cross-site request forgery (CSRF) vulnerability exists in Jenkins Nexus Platform Plugin versions 3.18.0-03 and earlier. The plugin does not properly validate HTTP requests, making it susceptible to CSRF attacks where an attacker can craft a malicious web page that triggers a request to an attacker-specified URL and parse the response as XML [1][3].

Exploitation and

Attack Surface An attacker can exploit this vulnerability by tricking a Jenkins user with sufficient permissions into visiting a malicious webpage. The CSRF allows the attacker to send a crafted HTTP request from the Jenkins server to an arbitrary URL controlled by the attacker. The plugin then parses the XML response from that URL. No additional authentication is required beyond the victim's existing session [1][2].

Impact

Successful exploitation enables the attacker to make the Jenkins server interact with external resources under the attacker’s control. This could lead to information disclosure, further exploitation of internal systems, or other malicious activities depending on the parsed XML content. The vulnerability does not directly allow code execution on the Jenkins controller but can be used as a stepping stone for more complex attacks [1][2].

Mitigation

This vulnerability has been fixed in Nexus Platform Plugin version 3.18.1-01. Users are strongly advised to upgrade to this or a later version. No workarounds have been provided, and the plugin has been archived, so continued use of older versions poses a security risk [1][2][4].

References
  1. Jenkins Security Advisory 2023-12-13
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. NVD - CVE-2023-50766
  4. Add protection from CSRF (#291) · jenkinsci/nexus-platform-plugin@1d5e1e9

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.sonatype.nexus.ci:nexus-jenkins-pluginMaven
< 3.18.1-013.18.1-01

Affected products

2

Patches

1
1d5e1e9e457a

Add protection from CSRF (#291)

https://github.com/jenkinsci/nexus-platform-pluginEduard TitaNov 7, 2023via ghsa
commit
4 files changed · +20 1
  • pom.xml+1 1 modified
    @@ -85,7 +85,7 @@
     <enforcer.skip>true</enforcer.skip> <!-- TODO numerous requireUpperBoundDeps, some probably indicative of real problems -->
     <jvnet-localizer-plugin.version>1.23</jvnet-localizer-plugin.version>
     <forkCount>1</forkCount>
-    <nexus-platform-api.version>4.3.1-01</nexus-platform-api.version>
+    <nexus-platform-api.version>4.3.2-01</nexus-platform-api.version>
 
     <buildsupport.version>36</buildsupport.version>
     <buildsupport.license-maven-plugin.version>4.1</buildsupport.license-maven-plugin.version>
  • src/main/java/org/sonatype/nexus/ci/config/NxiqConfiguration.groovy+9 0 modified
    @@ -24,6 +24,7 @@ import hudson.util.ListBoxModel
 import jenkins.model.Jenkins
 import org.kohsuke.stapler.DataBoundConstructor
 import org.kohsuke.stapler.QueryParameter
+import org.kohsuke.stapler.verb.POST
 
 class NxiqConfiguration
     implements Describable<NxiqConfiguration>
@@ -83,7 +84,9 @@ class NxiqConfiguration
       Messages.NxiqConfiguration_DisplayName()
     }
 
+    @POST
     FormValidation doCheckDisplayName(@QueryParameter String value, @QueryParameter String internalId) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       def globalConfigurations = GlobalNexusConfiguration.globalNexusConfiguration
       for (NxiqConfiguration config : globalConfigurations.iqConfigs) {
         if (config.internalId != internalId && config.displayName == value) {
@@ -93,7 +96,9 @@ class NxiqConfiguration
       return FormUtil.validateNotEmpty(value, 'Display Name is required')
     }
 
+    @POST
     FormValidation doCheckId(@QueryParameter String value, @QueryParameter String internalId) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       def globalConfigurations = GlobalNexusConfiguration.globalNexusConfiguration
       for (NxiqConfiguration config : globalConfigurations.iqConfigs) {
         if (config.internalId != internalId && config.id == value) {
@@ -108,7 +113,9 @@ class NxiqConfiguration
     }
 
     @SuppressWarnings('unused')
+    @POST
     FormValidation doCheckServerUrl(@QueryParameter String value) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       def validation = FormUtil.validateUrl(value)
       if (validation.kind == Kind.OK) {
         validation = FormUtil.validateNotEmpty(value, Messages.Configuration_ServerUrlRequired())
@@ -123,10 +130,12 @@ class NxiqConfiguration
     }
 
     @SuppressWarnings('unused')
+    @POST
     FormValidation doVerifyCredentials(
         @QueryParameter String serverUrl,
         @QueryParameter String credentialsId) throws IOException
     {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       return IqUtil.verifyJobCredentials(serverUrl, credentialsId, Jenkins.instance)
     }
   }
  • src/main/java/org/sonatype/nexus/ci/config/Nxrm2Configuration.groovy+5 0 modified
    @@ -18,8 +18,10 @@ import org.sonatype.nexus.ci.config.NxrmConfiguration.NxrmDescriptor
 
 import hudson.Extension
 import hudson.util.FormValidation
+import jenkins.model.Jenkins
 import org.kohsuke.stapler.DataBoundConstructor
 import org.kohsuke.stapler.QueryParameter
+import org.kohsuke.stapler.verb.POST
 
 import static hudson.util.FormValidation.error
 import static hudson.util.FormValidation.ok
@@ -58,9 +60,12 @@ class Nxrm2Configuration
     }
 
     @Override
+    @POST
     FormValidation doVerifyCredentials(@QueryParameter String serverUrl, @QueryParameter String credentialsId)
         throws IOException
     {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
+
       try {
         def repositories = getApplicableRepositories(serverUrl, credentialsId)
  • src/main/java/org/sonatype/nexus/ci/config/Nxrm3Configuration.groovy+5 0 modified
    @@ -17,8 +17,10 @@ import com.sonatype.nexus.api.exception.RepositoryManagerException
 import groovy.util.logging.Log
 import hudson.Extension
 import hudson.util.FormValidation
+import jenkins.model.Jenkins
 import org.kohsuke.stapler.DataBoundConstructor
 import org.kohsuke.stapler.QueryParameter
+import org.kohsuke.stapler.verb.POST
 
 import static hudson.util.FormValidation.error
 import static hudson.util.FormValidation.ok
@@ -80,9 +82,12 @@ class Nxrm3Configuration
     }
 
     @Override
+    @POST
     FormValidation doVerifyCredentials(@QueryParameter String serverUrl, @QueryParameter String credentialsId)
         throws IOException
     {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
+
       def repositories
       def badVersionMsg = ''

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

1