Lucene search

GoogleOSV:GHSA-JRJ6-QX48-3CPQ

HistoryAug 16, 2023 - 3:30 p.m.

Jenkins Favorite View Plugin cross-site request forgery vulnerability

2023-08-1615:30:18

Google

osv.dev

jenkins

favorite view

plugin

http endpoint

cross-site request forgery

csrf

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to add or remove views from another user’s favorite views tab bar.

As of publication of this advisory, there is no fix.

CPENameOperatorVersion
org.jenkins-ci.plugins:favorite-vieweq1.0

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:favorite-view	eq	1.0

References

www.openwall.com/lists/oss-security/2023/08/16/3

nvd.nist.gov/vuln/detail/CVE-2023-40351

www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3201

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for OSV:GHSA-JRJ6-QX48-3CPQ