EUVD-2026-32514
GHSA-9wm7-8qf3-9v98
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Jenkins AppSpider Plugin 1.0.17 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to connect to an attacker-specified URL.
AnalysisAI
Missing permission check in Jenkins AppSpider Plugin 1.0.17 and earlier allows any authenticated user with Overall/Read permission to force the Jenkins server to initiate connections to arbitrary attacker-specified URLs via a form validation endpoint. This constitutes a server-side request forgery (SSRF)-class primitive - an attacker can leverage this to probe internal network services, perform port scanning, or interact with internal infrastructure reachable by the Jenkins host. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets
Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who c
Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 79
Unsafe deserialization in Jenkins Active Directory Plugin 2.41 and earlier allows a remote attacker holding administrati
Server-Side Request Forgery in Jenkins Active Directory Plugin 2.41 and earlier enables a highly privileged attacker to
Share
External POC / Exploit Code
Leaving vuln.today