Jenkins Folders Plugin cross-site request forgery vulnerability

2023-08-1615:30:17

CWE-352

GitHub Advisory Database

github.com

jenkins

folders plugin

cross-site request forgery

http endpoint

vulnerability

unsafe scripts

post requests

software

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

30.2%

JSON

Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts.

Folders Plugin 6.848.ve3b_fd7839a_81 requires POST requests for the affected HTTP endpoint.