CVE-2023-40348: Jenkins Gogs Plugin vulnerable to unsafe default behavior and information disclosure

August 16, 2023 (updated August 18, 2023)

The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output.

References

www.openwall.com/lists/oss-security/2023/08/16/3
github.com/advisories/GHSA-qxwc-wchr-5h29
nvd.nist.gov/vuln/detail/CVE-2023-40348
www.jenkins.io/security/advisory/2023-08-16/

Code Behaviors & Features

Detect and mitigate CVE-2023-40348 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →