skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
July 17, 2023

GHSL-2023-071: Server-Side Request Forgery (SSRF) in sumologic-publisher-plugin - CVE-2023-37958, CVE-2023-37959

Alvaro Munoz

Coordinated Disclosure Timeline


A Server-Side Request Forgery (SSRF) vulnerability was found in the sumologic-publisher-plugin. The vulnerability resides in the com.sumologic.jenkins.jenkinssumologicplugin.PluginDescriptorImpl#doTestURL method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.


Sumologic Publisher Jenkins plugin

Tested Version



SSRF in com.sumologic.jenkins.jenkinssumologicplugin.PluginDescriptorImpl#doTestURL (GHSL-2023-071)

The doTestURL method in the file lacks proper validation and sanitization of user input for the url parameter, allowing a blind exploitation of a server-side request forgery (SSRF).

Affected source code:

    public FormValidation doTestURL(@QueryParameter("url") String url) {
        try {
            StatusLine statusLine = LogSender.getInstance().testHTTPUrl(url);
            if (200 == statusLine.getStatusCode()) {
                return FormValidation.ok("Success");
            } else {
                return FormValidation.error("URL not valid with message " + statusLine.getReasonPhrase());
        } catch (Exception e) {
            return FormValidation.error("Failure : " + e.getMessage());

In order to exploit the vulnerability, an attacker may send the following crafted request:

GET /jenkins/descriptorByName/com.sumologic.jenkins.jenkinssumologicplugin.SumoBuildNotifier/testURL? HTTP/1.1
Host: localhost:8080
Connection: close

This vulnerability was found using CodeQL’s SSRF Java query.


This issue may lead to Server-Side Request Forgery.




This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include a reference to GHSL-2023-071 in any communication regarding this issue.