skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 25, 2023

GHSL-2023-072: Several Server-Side Request Forgery (SSRF) vulnerabilities in the Codedx Jenkins plugin - CVE-2023-2195, CVE-2023-2631

Alvaro Munoz

Coordinated Disclosure Timeline


Several Server-Side Request Forgery (SSRF) vulnerabilities were found in the codedx-plugin. The vulnerabilities resides in the org.jenkinsci.plugins.codedx.CodeDxClient#doFillProjectIdItems, doCheckSelfSignedCertificateFingerprint and doCheckUrl methods and can be exploited without authentication. An attacker can leverage this vulnerabilities to send requests to arbitrary hosts.


Codedx Jenkins plugin

Tested Version



SSRF in org.jenkinsci.plugins.codedx.CodeDxPublisher (GHSL-2023-072)

The doFillProjectIdItems, doCheckSelfSignedCertificateFingerprint and doCheckUrl methods in the file lacks proper validation and sanitization of user input for the url parameter, allowing a blind exploitation of a server-side request forgery (SSRF).

Affected source code:

public ListBoxModel doFillProjectIdItems(@QueryParameter final String url, @QueryParameter final String selfSignedCertificateFingerprint, @QueryParameter final String key, @AncestorInPath AbstractProject project) {
    ListBoxModel listBox = new ListBoxModel();
    CodeDxClient client = buildClient(url, key, selfSignedCertificateFingerprint);
    try {
        final List<Project> projects = client.getProjects();

In order to exploit the vulnerability, an attacker may send the following crafted request:

GET /jenkins/descriptorByName/org.jenkinsci.plugins.codedx.CodeDxPublisher/fillProjectIdItems? HTTP/1.1
Host: localhost:8080
Connection: close

This vulnerability was found using CodeQL’s SSRF Java query.


The vulnerability allows attackers to send requests to arbitrary hosts/paths without authentication. Since the attacker is not able to read the response, the impact of this vulnerability is limited. However, an attacker should be able to leverage this vulnerability to scan the internal network.




This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include a reference to GHSL-2023-072 in any communication regarding this issue.