Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-C735-G9F2-2MVP
HistoryMay 24, 2022 - 5:12 p.m.

Cross-Site Request Forgery in Jenkins

2022-05-2417:12:40
CWE-352
CWE-435
GitHub Advisory Database
github.com
12

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.0%

JSON

An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs.

Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL.

Jenkins now uses the same representation of the URL path to decide whether CSRF protection is needed for a given URL as the Stapler web framework uses.

In case of problems, administrators can disable this security fix by setting the system property hudson.security.csrf.CrumbFilter.UNPROCESSED_PATHINFO to true.

As an additional safeguard, semicolon (;) characters in the path part of a URL are now banned by default. Administrators can disable this protection by setting the system property jenkins.security.SuspiciousRequestFilter.allowSemicolonsInPath to true.

Affected configurations

Vulners
Node
org.jenkins-ci.main\Matchjenkins-core
OR
org.jenkins-ci.main\Matchjenkins-core

Related

osv 3
cve 1
redhatcve 1
veracode 1
nvd 1
cvelist 1
alpinelinux 1
prion 1
openvas 2
nessus 2
freebsd 1
osv
osv
Cross-Site Request Forgery in Jenkins
2022-05-24 17:12:40
CVE-2020-2160
2020-03-25 17:15:14
BIT-jenkins-2020-2160
2024-03-06 11:06:01
cve
cve
CVE-2020-2160
2020-03-25 17:15:14
redhatcve
redhatcve
CVE-2020-2160
2021-08-15 11:34:50
veracode
veracode
Cross-site Request Forgery (CSRF)
2020-07-04 03:14:58
nvd
nvd
CVE-2020-2160
2020-03-25 17:15:14
cvelist
cvelist
CVE-2020-2160
2020-03-25 16:05:34
alpinelinux
alpinelinux
CVE-2020-2160
2020-03-25 17:15:14
prion
prion
Cross site request forgery (csrf)
2020-03-25 17:15:00
openvas
openvas
Jenkins < 2.228, < 2.204.6 LTS Multiple Vulnerabilities - Windows
2020-03-26 00:00:00
Jenkins < 2.228, < 2.204.6 LTS Multiple Vulnerabilities - Linux
2020-03-26 00:00:00
nessus
nessus
FreeBSD : jenkins -- multiple vulnerabilities (5bf6ed6d-9002-4f43-ad63-458f59e45384)
2020-03-26 00:00:00
Jenkins < (2.204.6 / 2.222.1) LTS / 2.228 Multiple Vulnerabilities
2020-04-02 00:00:00
freebsd
freebsd
jenkins -- multiple vulnerabilities
2020-03-25 00:00:00

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.0%

JSON
Related for GHSA-C735-G9F2-2MVP
osv3cve1redhatcve1veracode1nvd1cvelist1alpinelinux1prion1openvas2nessus2freebsd1