CVE-2023-28676: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability was identified in Jenkins Convert To Pipeline Plugin version 1.0 and earlier, tracked as CVE-2023-28676. The vulnerability was discovered and disclosed on March 21, 2023, affecting the HTTP endpoint responsible for converting Freestyle projects to Pipeline. This security issue was assigned a CVSS v3.1 base score of 8.8 (High) (Jenkins Advisory, NVD).

The vulnerability stems from the plugin's failure to require POST requests for the HTTP endpoint that handles the conversion of Freestyle projects to Pipeline. The technical assessment revealed a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, and user interaction required for exploitation (NVD).

The vulnerability enables attackers to create a Pipeline based on a Freestyle project without proper authorization. When combined with another vulnerability (SECURITY-2966), this can lead to the execution of unsandboxed Pipeline scripts, potentially resulting in remote code execution (RCE) on the affected Jenkins instance (Jenkins Advisory).

As of the advisory's publication date, no official fix was available for this vulnerability in the Convert To Pipeline Plugin. Users of the affected versions (1.0 and earlier) should consider disabling the plugin or implementing additional security controls to prevent unauthorized access to the conversion endpoint (Jenkins Advisory).