Jenkins Slack Notification Plugin missing permission check

2022-05-1301:15:08

Google

osv.dev

6.4 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

71.6%

JSON

Jenkins Slack Notification Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration).

CPENameOperatorVersion
org.jenkins-ci.plugins:slackeq2.17
org.jenkins-ci.plugins:slackeq2.3
org.jenkins-ci.plugins:slackeq1.2
org.jenkins-ci.plugins:slackeq2.0
org.jenkins-ci.plugins:slackeq2.12
org.jenkins-ci.plugins:slackeq2.9
org.jenkins-ci.plugins:slackeq1.8
org.jenkins-ci.plugins:slackeq1.8.1
org.jenkins-ci.plugins:slackeq2.15
org.jenkins-ci.plugins:slackeq1.0

Name	Operator	Version
org.jenkins-ci.plugins:slack	eq	2.17
org.jenkins-ci.plugins:slack	eq	2.3
org.jenkins-ci.plugins:slack	eq	1.2
org.jenkins-ci.plugins:slack	eq	2.0
org.jenkins-ci.plugins:slack	eq	2.12
org.jenkins-ci.plugins:slack	eq	2.9
org.jenkins-ci.plugins:slack	eq	1.8
org.jenkins-ci.plugins:slack	eq	1.8.1
org.jenkins-ci.plugins:slack	eq	2.15
org.jenkins-ci.plugins:slack	eq	1.0