Lucene search
GoogleOSV:GHSA-WHF8-3H58-2W9FHistoryMay 13, 2022 - 1:31 a.m.
Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability
2022-05-1301:31:35
Google
osv.dev
8
jenkins
warnings
next generation
plugin
cross-site request forgery
vulnerability
http endpoint
groovy script
compilation
sandbox protection
overall/runscripts
permission
ast transforming annotations
@grab
source code
unsafe
compiler configuration
fix
request method
post.
Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins controller by applying AST transforming annotations such as @Grab to source code elements.
The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.
Related
prion
prion
Cross site request forgery (csrf)
2019-02-06 16:29:00
osv
osv
CVE-2019-1003008
2019-02-06 16:29:00
github
github
cvelist
cvelist
CVE-2019-1003008
2019-02-06 16:00:00
cve
cve
CVE-2019-1003008
2019-02-06 16:29:00
nvd
nvd
CVE-2019-1003008
2019-02-06 16:29:00