Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-998m-f2x3-jjq4

Опубликовано: 24 мая 2022
Источник: github
Github: Прошло ревью
CVSS3: 5.4

Описание

CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files

Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.

This is due to an incomplete fix of SECURITY-938.

Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:config-file-provider

maven
Затронутые версииВерсия исправления

<= 3.7.0

3.7.1

EPSS

Процентиль: 42%
0.00203
Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2021-21644

Дефекты

CWE-352

Связанные уязвимости

redhat логотип

CVE-2021-21644

CVSS3: 6.3
redhat
почти 5 лет назад

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.

nvd логотип

CVE-2021-21644

CVSS3: 5.4
nvd
почти 5 лет назад

A cross-site request forgery (CSRF) vulnerability in Jenkins Config File Provider Plugin 3.7.0 and earlier allows attackers to delete configuration files corresponding to an attacker-specified ID.

EPSS

Процентиль: 42%
0.00203
Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2021-21644

Дефекты

CWE-352