CVE-2023-49673: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability was discovered in Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier. The vulnerability was identified and tracked as CVE-2023-49673, disclosed on November 29, 2023. The affected component is the connection test HTTP endpoint in the NeuVector Vulnerability Scanner Plugin (Jenkins Advisory, NVD).

The vulnerability stems from the plugin's failure to require POST requests in its connection test HTTP endpoint. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (CSRF) (NVD).

The vulnerability allows attackers to connect to an attacker-specified hostname and port using attacker-specified username and password. This could potentially lead to unauthorized access and control of the affected systems (Jenkins Advisory).

The vulnerability has been fixed in NeuVector Vulnerability Scanner Plugin version 2.2. The updated version requires POST requests and Overall/Administer permission for the affected HTTP endpoint. Users are advised to upgrade to this version to mitigate the vulnerability (Jenkins Advisory).