Jenkins Deploy WebLogic Plugin cross-site request forgery vulnerability

2022-05-2416:59:37

Google

osv.dev

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.9%

JSON

JenkinsDeploy WebLogic Plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to send an HTTP HEAD request to a user-specified URL, or confirm the existence of any file or directory on the Jenkins controller.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

As of publication of this advisory, there is no fix.

CPENameOperatorVersion
org.jenkins-ci.plugins:weblogic-deployer-plugineq2.1
org.jenkins-ci.plugins:weblogic-deployer-plugineq4.0
org.jenkins-ci.plugins:weblogic-deployer-plugineq1.4
org.jenkins-ci.plugins:weblogic-deployer-plugineq3.5
org.jenkins-ci.plugins:weblogic-deployer-plugineq2.3
org.jenkins-ci.plugins:weblogic-deployer-plugineq3.2
org.jenkins-ci.plugins:weblogic-deployer-plugineq1.2
org.jenkins-ci.plugins:weblogic-deployer-plugineq2.0
org.jenkins-ci.plugins:weblogic-deployer-plugineq2.9.1
org.jenkins-ci.plugins:weblogic-deployer-plugineq3.4

Name	Operator	Version
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	2.1
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	4.0
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	1.4
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	3.5
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	2.3
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	3.2
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	1.2
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	2.0
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	2.9.1
org.jenkins-ci.plugins:weblogic-deployer-plugin	eq	3.4