VYPR
← All advisories
High severityNVD Advisory· Published Dec 13, 2023· Updated Feb 13, 2025

CVE-2023-50767

CVE-2023-50767

Description

Missing permission checks in Nexus Platform Plugin allow attackers with Overall/Read to send HTTP requests to arbitrary URLs and parse XML responses.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing permission checks in Nexus Platform Plugin allow attackers with Overall/Read to send HTTP requests to arbitrary URLs and parse XML responses.

Vulnerability

Description

Missing permission checks in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML. This issue is caused by inadequate authorization in HTTP endpoints, as noted in the Jenkins Security Advisory [1] and the NVD entry [3].

Exploitation

An attacker needs only Overall/Read permission, which is a low-privilege level in Jenkins. By exploiting this flaw, the attacker can make the plugin send a crafted HTTP request to any URL and then parse the XML response. This can be used to perform server-side request forgery (SSRF) attacks, potentially accessing internal systems or services that are not publicly accessible [1][2].

Impact

Successful exploitation allows an attacker to send authenticated requests from the Jenkins controller to arbitrary hosts, bypassing network restrictions. The XML parsing capability could also lead to information disclosure if the response contains sensitive data. The impact is considered moderate but can be leveraged for further attacks [1][3].

Mitigation

The vulnerability is fixed in Nexus Platform Plugin version 3.18.1-01. Users should upgrade immediately. The fix adds proper permission checks and CSRF protection to the affected endpoints [2][4].

References
  1. Jenkins Security Advisory 2023-12-13
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. NVD - CVE-2023-50767
  4. Add protection from CSRF (#291) · jenkinsci/nexus-platform-plugin@1d5e1e9

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.sonatype.nexus.ci:nexus-jenkins-pluginMaven
< 3.18.1-013.18.1-01

Affected products

2

Patches

1
1d5e1e9e457a

Add protection from CSRF (#291)

https://github.com/jenkinsci/nexus-platform-pluginEduard TitaNov 7, 2023via ghsa
commit
4 files changed · +20 1
  • pom.xml+1 1 modified
    @@ -85,7 +85,7 @@
     <enforcer.skip>true</enforcer.skip> <!-- TODO numerous requireUpperBoundDeps, some probably indicative of real problems -->
     <jvnet-localizer-plugin.version>1.23</jvnet-localizer-plugin.version>
     <forkCount>1</forkCount>
-    <nexus-platform-api.version>4.3.1-01</nexus-platform-api.version>
+    <nexus-platform-api.version>4.3.2-01</nexus-platform-api.version>
 
     <buildsupport.version>36</buildsupport.version>
     <buildsupport.license-maven-plugin.version>4.1</buildsupport.license-maven-plugin.version>
  • src/main/java/org/sonatype/nexus/ci/config/NxiqConfiguration.groovy+9 0 modified
    @@ -24,6 +24,7 @@ import hudson.util.ListBoxModel
 import jenkins.model.Jenkins
 import org.kohsuke.stapler.DataBoundConstructor
 import org.kohsuke.stapler.QueryParameter
+import org.kohsuke.stapler.verb.POST
 
 class NxiqConfiguration
     implements Describable<NxiqConfiguration>
@@ -83,7 +84,9 @@ class NxiqConfiguration
       Messages.NxiqConfiguration_DisplayName()
     }
 
+    @POST
     FormValidation doCheckDisplayName(@QueryParameter String value, @QueryParameter String internalId) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       def globalConfigurations = GlobalNexusConfiguration.globalNexusConfiguration
       for (NxiqConfiguration config : globalConfigurations.iqConfigs) {
         if (config.internalId != internalId && config.displayName == value) {
@@ -93,7 +96,9 @@ class NxiqConfiguration
       return FormUtil.validateNotEmpty(value, 'Display Name is required')
     }
 
+    @POST
     FormValidation doCheckId(@QueryParameter String value, @QueryParameter String internalId) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       def globalConfigurations = GlobalNexusConfiguration.globalNexusConfiguration
       for (NxiqConfiguration config : globalConfigurations.iqConfigs) {
         if (config.internalId != internalId && config.id == value) {
@@ -108,7 +113,9 @@ class NxiqConfiguration
     }
 
     @SuppressWarnings('unused')
+    @POST
     FormValidation doCheckServerUrl(@QueryParameter String value) {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       def validation = FormUtil.validateUrl(value)
       if (validation.kind == Kind.OK) {
         validation = FormUtil.validateNotEmpty(value, Messages.Configuration_ServerUrlRequired())
@@ -123,10 +130,12 @@ class NxiqConfiguration
     }
 
     @SuppressWarnings('unused')
+    @POST
     FormValidation doVerifyCredentials(
         @QueryParameter String serverUrl,
         @QueryParameter String credentialsId) throws IOException
     {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
       return IqUtil.verifyJobCredentials(serverUrl, credentialsId, Jenkins.instance)
     }
   }
  • src/main/java/org/sonatype/nexus/ci/config/Nxrm2Configuration.groovy+5 0 modified
    @@ -18,8 +18,10 @@ import org.sonatype.nexus.ci.config.NxrmConfiguration.NxrmDescriptor
 
 import hudson.Extension
 import hudson.util.FormValidation
+import jenkins.model.Jenkins
 import org.kohsuke.stapler.DataBoundConstructor
 import org.kohsuke.stapler.QueryParameter
+import org.kohsuke.stapler.verb.POST
 
 import static hudson.util.FormValidation.error
 import static hudson.util.FormValidation.ok
@@ -58,9 +60,12 @@ class Nxrm2Configuration
     }
 
     @Override
+    @POST
     FormValidation doVerifyCredentials(@QueryParameter String serverUrl, @QueryParameter String credentialsId)
         throws IOException
     {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
+
       try {
         def repositories = getApplicableRepositories(serverUrl, credentialsId)
  • src/main/java/org/sonatype/nexus/ci/config/Nxrm3Configuration.groovy+5 0 modified
    @@ -17,8 +17,10 @@ import com.sonatype.nexus.api.exception.RepositoryManagerException
 import groovy.util.logging.Log
 import hudson.Extension
 import hudson.util.FormValidation
+import jenkins.model.Jenkins
 import org.kohsuke.stapler.DataBoundConstructor
 import org.kohsuke.stapler.QueryParameter
+import org.kohsuke.stapler.verb.POST
 
 import static hudson.util.FormValidation.error
 import static hudson.util.FormValidation.ok
@@ -80,9 +82,12 @@ class Nxrm3Configuration
     }
 
     @Override
+    @POST
     FormValidation doVerifyCredentials(@QueryParameter String serverUrl, @QueryParameter String credentialsId)
         throws IOException
     {
+      Jenkins.get().checkPermission(Jenkins.ADMINISTER)
+
       def repositories
       def badVersionMsg = ''

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

1