Jenkins Gogs Plugin vulnerable to unsafe default behavior and information disclosure
Moderate severity
GitHub Reviewed
Published
Aug 16, 2023
to the GitHub Advisory Database
•
Updated Oct 9, 2024
Package
Affected versions
<= 1.0.15
Patched versions
None
Description
Published by the National Vulnerability Database
Aug 16, 2023
Published to the GitHub Advisory Database
Aug 16, 2023
Reviewed
Aug 16, 2023
Last updated
Oct 9, 2024
Jenkins Gogs Plugin provides a webhook endpoint at
/gogs-webhook
that can be used to trigger builds of jobs. In Gogs Plugin 1.0.15 and earlier, an option to specify a Gogs secret for this webhook is provided, but not enabled by default.This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified job name.
Additionally, the output of the webhook endpoint includes whether a job corresponding to the attacker-specified job name exists, even if the attacker has no permission to access it.
As of publication of this advisory, there is no fix.
References