CVE-2023-50768: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability was discovered in Jenkins Nexus Platform Plugin versions 3.18.0-03 and earlier. The vulnerability was identified as CVE-2023-50768 and was disclosed on December 13, 2023. The affected component is the Jenkins Nexus Platform Plugin, which is a Jenkins automation server plugin (Jenkins Advisory, NVD).

The vulnerability stems from the plugin's failure to perform permission checks in methods implementing form validation. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-352: Cross-Site Request Forgery (CSRF) (NVD).

This vulnerability allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, potentially leading to the capture of credentials stored in Jenkins (Jenkins Advisory).

The vulnerability has been fixed in Nexus Platform Plugin version 3.18.1-01. The fix requires POST requests and Overall/Administer permission for the affected form validation methods. Note that the Nexus Platform Plugin is not currently distributed by the Jenkins Project due to licensing issues, but the fixed version can be downloaded from the Sonatype website (Jenkins Advisory).

The vulnerability was discovered and reported by Andrea Chiera from CloudBees, Inc., demonstrating the active security research within the Jenkins community (Jenkins Advisory).