GHSA-5frh-wx6v-8m2r

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

CSRF vulnerabilities in Jenkins requests-plugin Plugin

Jenkins requests-plugin Plugin 2.2.12 and earlier does not require POST requests to request and apply changes, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to create requests and/or have administrators apply pending requests, like renaming or deleting jobs, deleting builds, etc.

Jenkins requests-plugin Plugin 2.2.13 requires POST requests for the affected HTTP endpoints. This was partially fixed in requests-plugin Plugin 2.2.8 to require POST requests for some of the affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until 2.2.13.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:requests

maven

Затронутые версииВерсия исправления

<= 2.2.12

2.2.13

EPSS

Процентиль: 69%

0.00603

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2021-21675

Дефекты

CWE-352

Связанные уязвимости

CVE-2021-21675

CVSS3: 6.5

nvd

больше 4 лет назад

A cross-site request forgery (CSRF) vulnerability in Jenkins requests-plugin Plugin 2.2.12 and earlier allows attackers to create requests and/or have administrators apply pending requests.

EPSS

Процентиль: 69%

0.00603

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2021-21675

Дефекты

CWE-352