CVE-2017-1000090

2017-10-0501:29:03

Google

osv.dev

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

34.6%

JSON

Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.

CPENameOperatorVersion
role-strategy-plugineqrole-strategy-2.1.0
role-strategy-plugineqrole-strategy-2.5.0
role-strategy-plugineqrole-strategy-1.1.3
role-strategy-plugineqrole-strategy-2.3.1
role-strategy-plugineqrole-strategy-2.3.0
role-strategy-plugineqrole-strategy-2.3.2
role-strategy-plugineqrole-strategy-2.2.0
role-strategy-plugineqrole-strategy-2.4.0

Name	Operator	Version
role-strategy-plugin	eq	role-strategy-2.1.0
role-strategy-plugin	eq	role-strategy-2.5.0
role-strategy-plugin	eq	role-strategy-1.1.3
role-strategy-plugin	eq	role-strategy-2.3.1
role-strategy-plugin	eq	role-strategy-2.3.0
role-strategy-plugin	eq	role-strategy-2.3.2
role-strategy-plugin	eq	role-strategy-2.2.0
role-strategy-plugin	eq	role-strategy-2.4.0

References

jenkins.io/security/advisory/2017-07-10/