GHSA-x2pv-fph3-phfx

Опубликовано: 29 окт. 2025

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Jenkins Nexus Task Runner Plugin vulnerable to cross-site request forgery

Jenkins Nexus Task Runner Plugin 0.9.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:nexus-task-runner

maven

Затронутые версииВерсия исправления

<= 0.9.2

Отсутствует

EPSS

Процентиль: 5%

0.00021

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2025-64141

Дефекты

CWE-352

Связанные уязвимости

CVE-2025-64141

CVSS3: 4.3

nvd

3 месяца назад

A cross-site request forgery (CSRF) vulnerability in Jenkins Nexus Task Runner Plugin 0.9.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials.

EPSS

Процентиль: 5%

0.00021

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2025-64141

Дефекты

CWE-352