Description
A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.
Remediation
References
https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121
Related Vulnerabilities
CVE-2013-7398 Vulnerability in maven package com.ning:async-http-client
CVE-2015-5348 Vulnerability in maven package org.apache.camel:camel-jetty9
CVE-2018-1999046 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2019-10343 Vulnerability in maven package io.jenkins:configuration-as-code
CVE-2019-10364 Vulnerability in maven package org.jenkins-ci.plugins:ec2