CVE-2023-30521 — Jenkins Assembla merge request builder Plugin missing authentication to access e

Description

Jenkins Assembla merge request builder Plugin provides a webhook endpoint at `/assembla-webhook/` that can be used to trigger builds of jobs configured to use a specified repository. In Assembla merge request builder Plugin 1.1.13 and earlier, this endpoint can be accessed without authentication. This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

How to fix CVE-2023-30521

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-30521 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 1.1.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-30521
WEBwww.jenkins.io/security/advisory/2023-04-12/#SECURITY-2872
WEBwww.openwall.com/lists/oss-security/2023/04/13/3