Описание
Jenkins Project Inheritance Plugin vulnerable to Cross-Site Request Forgery
Project Inheritance Plugin allows the creation of projects based on templates defined in the plugin configuration.
A missing permission check in the HTTP endpoint triggering project creation allowed users with Overall/Read permission to create these projects. Additionally, the HTTP endpoint did not require POST requests, resulting in a CSRF vulnerability.
The HTTP endpoint triggering project creation now requires Item/Create permission and submission of requests via POST.
Пакеты
hudson.plugins:project-inheritance
< 19.08.2
19.08.2
Связанные уязвимости
A cross-site request forgery vulnerability in Jenkins Project Inheritance Plugin 2.0.0 and earlier allowed attackers to trigger project generation from templates.