skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
July 17, 2023

GHSL-2023-073: Server-Side Request Forgery (SSRF) in benchmark-evaluator-plugin - CVE-2023-37962, CVE-2023-37963

Alvaro Munoz

Coordinated Disclosure Timeline


A Server-Side Request Forgery (SSRF) vulnerability was found in the benchmark-evaluator-plugin. The vulnerability resides in the io.jenkins.plugins.benchmark.BenchmarkBuilder#doCheckFilepath method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.


Benchmark Evaluator Jenkins plugin

Tested Version



SSRF in io.jenkins.plugins.benchmark.BenchmarkBuilder#doCheckFilepath (GHSL-2023-073)

The doCheckFilepath method in the file lacks proper validation and sanitization of user input for the ctrlUrl parameter, allowing a blind exploitation of a server-side request forgery (SSRF).

Affected source code:

public FormValidation doCheckFilepath(@QueryParameter String filepath) throws IOException, ServletException {
    for(String end : BenchmarkResults.endings){
	    ending = end;

    Map<String, Double> m = null;
    try {
	ReadResult r = new BenchmarkResults(filepath).read();

In order to exploit the vulnerability, an attacker may send the following crafted request:

GET /jenkins/descriptorByName/io.jenkins.plugins.benchmark.BenchmarkBuilder/checkFilepath? HTTP/1.1
Host: localhost:8080
Connection: close

This vulnerability was found using CodeQL’s SSRF Java query.


This issue may lead to server-side request forgery.




This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include a reference to GHSL-2023-073 in any communication regarding this issue.