CSRF vulnerability in Jenkins warnings Plugin allows remote code execution

2022-05-2417:29:16

Google

osv.dev

0.001 Low

EPSS

Percentile

37.6%

JSON

warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code.

warnings Plugin 5.0.2 requires POST requests for the affected form validation method.

This vulnerability was caused by an incomplete fix to SECURITY-1295.

CPENameOperatorVersion
org.jvnet.hudson.plugins:warningseq1.9
org.jvnet.hudson.plugins:warningseq3.15
org.jvnet.hudson.plugins:warningseq4.14
org.jvnet.hudson.plugins:warningseq4.16
org.jvnet.hudson.plugins:warningseq3.8
org.jvnet.hudson.plugins:warningseq3.3
org.jvnet.hudson.plugins:warningseq4.30
org.jvnet.hudson.plugins:warningseq4.57
org.jvnet.hudson.plugins:warningseq3.9
org.jvnet.hudson.plugins:warningseq2.6

Name	Operator	Version
org.jvnet.hudson.plugins:warnings	eq	1.9
org.jvnet.hudson.plugins:warnings	eq	3.15
org.jvnet.hudson.plugins:warnings	eq	4.14
org.jvnet.hudson.plugins:warnings	eq	4.16
org.jvnet.hudson.plugins:warnings	eq	3.8
org.jvnet.hudson.plugins:warnings	eq	3.3
org.jvnet.hudson.plugins:warnings	eq	4.30
org.jvnet.hudson.plugins:warnings	eq	4.57
org.jvnet.hudson.plugins:warnings	eq	3.9
org.jvnet.hudson.plugins:warnings	eq	2.6