CVE-2023-41946: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability and missing permission checks were identified in Jenkins Frugal Testing Plugin version 1.1 and earlier. The vulnerability was discovered and disclosed on September 6, 2023, affecting the Jenkins automation server's Frugal Testing Plugin component (Jenkins Advisory, OSS Security).

The vulnerability stems from two main issues: First, the plugin does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to access unauthorized functionality. Second, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. The issue has been assigned a Medium severity rating (Jenkins Advisory).

The vulnerability allows attackers with Overall/Read permission to connect to Frugal Testing using attacker-specified username and password, and to retrieve test IDs and names from Frugal Testing if a valid credential corresponds to the attacker-specified username (Jenkins Advisory).

As of the advisory publication date, there is no fix available for this vulnerability. Users of the Frugal Testing Plugin version 1.1 and earlier should be aware of the security risk and consider implementing additional security controls to protect their Jenkins instances (Jenkins Advisory).

The vulnerability was reported by Yaroslav Afenkin from CloudBees, Inc., and was published as part of a larger Jenkins security advisory that covered multiple plugin vulnerabilities (Jenkins Advisory).