CSRF vulnerability in Jenkins Lockable Resources Plugin

2022-05-2417:29:16

Google

osv.dev

0.001 Low

EPSS

Percentile

26.9%

JSON

Lockable Resources Plugin 2.8 and earlier does not require POST requests for several HTTP endpoints, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to reserve, unreserve, unlock, and reset resources. Lockable Resources Plugin 2.9 requires POST requests for the affected HTTP endpoints.

CPENameOperatorVersion
org.6wind.jenkins:lockable-resourceseq1.5
org.6wind.jenkins:lockable-resourceseq1.10
org.6wind.jenkins:lockable-resourceseq2.8
org.6wind.jenkins:lockable-resourceseq2.5
org.6wind.jenkins:lockable-resourceseq1.0
org.6wind.jenkins:lockable-resourceseq2.7
org.6wind.jenkins:lockable-resourceseq1.1
org.6wind.jenkins:lockable-resourceseq2.6
org.6wind.jenkins:lockable-resourceseq1.11
org.6wind.jenkins:lockable-resourceseq2.4

Name	Operator	Version
org.6wind.jenkins:lockable-resources	eq	1.5
org.6wind.jenkins:lockable-resources	eq	1.10
org.6wind.jenkins:lockable-resources	eq	2.8
org.6wind.jenkins:lockable-resources	eq	2.5
org.6wind.jenkins:lockable-resources	eq	1.0
org.6wind.jenkins:lockable-resources	eq	2.7
org.6wind.jenkins:lockable-resources	eq	1.1
org.6wind.jenkins:lockable-resources	eq	2.6
org.6wind.jenkins:lockable-resources	eq	1.11
org.6wind.jenkins:lockable-resources	eq	2.4