skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
July 17, 2023

GHSL-2023-063: Server-Side Request Forgery (SSRF) in test-results-aggregator-plugin - CVE-2023-37955, CVE-2023-37956

Alvaro Munoz

Coordinated Disclosure Timeline


A Server-Side Request Forgery (SSRF) vulnerability was found in the test-results-aggregator-plugin. The vulnerability resides in the com.jenkins.testresultsaggregator.TestResultsAggregator#doTestApiConnection method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.


Test Results Aggregator Jenkins plugin

Tested Version



SSRF in com.jenkins.testresultsaggregator.TestResultsAggregator#doTestApiConnection (GHSL-2023-063)

The doTestApiConnection method in the file lacks proper validation and sanitization of user input for the jenkinsUrl parameter, allowing a blind exploitation of a server-side request forgery (SSRF).

Affected source code:

public FormValidation doTestApiConnection(@QueryParameter final String jenkinsUrl, @QueryParameter final String username, @QueryParameter final Secret password) {
    try {
	new Collector(null, username, password, jenkinsUrl).getAPIConnection();
	return FormValidation.ok(LocalMessages.SUCCESS.toString());
    } catch (Exception e) {
	return FormValidation.error(LocalMessages.ERROR_OCCURRED.toString() + ": " + e.getMessage());

In order to exploit the vulnerability, an attacker may send the following crafted request:

GET /jenkins/descriptorByName/com.jenkins.testresultsaggregator.TestResultsAggregator/testApiConnection?jenkinsUrl= HTTP/1.1
Host: localhost:8080
Connection: close

This vulnerability was found using CodeQL’s SSRF Java query.


This issue may lead to server-side request forgery.



This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include a reference to GHSL-2023-063 in any communication regarding this issue.