CSRF vulnerability in Jenkins promoted builds Plugin
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Dec 15, 2023
Package
Affected versions
<= 3.9
Patched versions
3.9.1
Description
Published by the National Vulnerability Database
Apr 7, 2021
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Dec 13, 2022
Last updated
Dec 15, 2023
Credits
-
NotMyFault Analyst
Jenkins promoted builds Plugin 3.9 and earlier does not require POST requests for HTTP endpoints implementing promotion (regular, forced, and re-execute), resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to promote builds.
Jenkins promoted builds Plugin 3.9.1 requires POST requests for the affected HTTP endpoints.
A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability.
References