Description
Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.
Published: 2026-05-27
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins AppSpider Plugin version 1.0.17 and earlier contain a missing permission check in a form‑validation method. The flaw allows a user possessing Overall/Read permission to trigger the plugin to open a connection to a URL supplied by the attacker. This results in unchecked outbound network traffic initiated from the Jenkins instance, which may expose the environment to unintended external communication. The weakness is classified as CWE‑269, improper privilege management.

Affected Systems

Any Jenkins installation running AppSpider Plugin 1.0.17 or earlier is affected. The plugin is part of the Jenkins Project and is commonly integrated into pipelines. Versions later than 1.0.18 are not affected.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity. EPSS data is not available, suggesting no widespread exploitation reports. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the Jenkins web interface; any user with Read access can submit the vulnerable form. Exploitation requires no elevated privileges beyond read. During exploitation, the plugin attempts to connect to an arbitrary URL, enabling potential malicious use of the Jenkins network connection.

Generated by OpenCVE AI on May 27, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Jenkins AppSpider Plugin (v1.0.18 or later) which includes the missing permission check.
  • Limit the Overall/Read permission to trusted users only; consider removing read access for untrusted accounts to prevent use of the vulnerable form.
  • Configure Jenkins’ outbound network policy or firewall rules to block or log connections initiated by plugins, thereby preventing arbitrary downstream requests.

Generated by OpenCVE AI on May 27, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Appspider Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Appspider Plugin

Thu, 28 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins appspider
CPEs cpe:2.3:a:jenkins:appspider:*:*:*:*:*:jenkins:*:*
Vendors & Products Jenkins
Jenkins appspider

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Jenkins AppSpider Plugin Enables Unchecked Outbound Connections

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.
References

Subscriptions

Jenkins Appspider
Jenkins Project Jenkins Appspider Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-05-27T15:23:37.921Z

Reserved: 2026-05-26T14:50:46.813Z

Link: CVE-2026-48923

cve-icon Vulnrichment

Updated: 2026-05-27T15:23:17.126Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T15:16:31.950

Modified: 2026-05-28T17:01:11.383

Link: CVE-2026-48923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:21:53Z

Weaknesses
  • CWE-269

    Improper Privilege Management