GHSA-grpp-gx5h-pvh8

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Jenkins XebiaLabs XL Deploy Plugin vulnerable to Cross-site request forgery (CSRF)

A missing permission check in a form validation method in Jenkins XebiaLabs XL Deploy Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Ссылки

Пакеты

Наименование

com.xebialabs.deployit.ci:deployit-plugin

maven

Затронутые версииВерсия исправления

< 7.5.5

7.5.5

EPSS

Процентиль: 20%

0.00066

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2019-10304

Дефекты

CWE-352

Связанные уязвимости

CVE-2019-10304

CVSS3: 6.5

nvd

почти 7 лет назад

A cross-site request forgery vulnerability in Jenkins XebiaLabs XL Deploy Plugin in the Credential#doValidateUserNamePassword form validation method allows attackers to initiate a connection to an attacker-specified server.

EPSS

Процентиль: 20%

0.00066

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2019-10304

Дефекты

CWE-352