CVE-2023-50766: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability identified as CVE-2023-50766 affects the Jenkins Nexus Platform Plugin versions 3.18.0-03 and earlier. The vulnerability was discovered by Andrea Chiera of CloudBees, Inc. and was publicly disclosed on December 13, 2023. The affected component is the Jenkins Nexus Platform Plugin, which is a Jenkins automation server extension (Jenkins Advisory).

The vulnerability stems from the plugin's form validation methods not requiring POST requests and lacking proper permission checks. This implementation flaw allows attackers to send HTTP requests to attacker-specified URLs and parse the responses as XML. Additionally, the plugin's XML parser is not configured to prevent XML external entity (XXE) attacks. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability enables attackers to potentially extract secrets from the Jenkins controller or perform server-side request forgery through crafted XML responses that use external entities. The combination of CSRF and XXE capabilities makes this a significant security risk for affected systems (Jenkins Advisory).

The vulnerability has been fixed in Nexus Platform Plugin version 3.18.1-01. The updated version configures its XML parser to prevent XML external entity (XXE) attacks and requires POST requests and Overall/Administer permission for the affected HTTP endpoints. Note that the Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues, but the fixed version can be downloaded from the Sonatype website (Jenkins Advisory).