Описание
Jenkins ElectricFlow Plugin cross-site request forgery vulnerability
A missing permission check in a form validation method in CloudBees CD Plugin allowed users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified username and password.
Additionally, the form validation method did not require POST requests, resulting in a CSRF vulnerability.
This form validation method now requires POST requests and Overall/Administer permissions.
Пакеты
org.jenkins-ci.plugins:electricflow
<= 1.1.6
1.1.7
Связанные уязвимости
A cross-site request forgery vulnerability in Jenkins ElectricFlow Plugin 1.1.5 and earlier in Configuration#doTestConnection allowed attackers to connect to an attacker-specified URL using attacker-specified credentials.