CVE-2023-49674: 
Java vulnerability analysis and mitigation

A missing permission check vulnerability (CVE-2023-49674) was identified in Jenkins NeuVector Vulnerability Scanner Plugin versions 1.22 and earlier. The vulnerability was discovered and reported by Yaroslav Afenkin from CloudBees, Inc., and was publicly disclosed on November 29, 2023. This security flaw affects the plugin's connection test HTTP endpoint (Jenkins Advisory, OSS Security).

The vulnerability stems from a missing permission check in a connection test HTTP endpoint of the NeuVector Vulnerability Scanner Plugin. The issue has been assigned a Medium severity rating with a CVSS v3.1 base score of 4.3 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD).

The vulnerability allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. This could potentially be exploited to perform unauthorized connection tests to arbitrary systems (Jenkins Advisory).

The vulnerability has been fixed in NeuVector Vulnerability Scanner Plugin version 2.2. The updated version requires POST requests and Overall/Administer permission for the affected HTTP endpoint. Users are advised to upgrade to this version to mitigate the vulnerability (Jenkins Advisory).