Lucene search

Veracode Vulnerability DatabaseVERACODE:44703

HistoryDec 18, 2023 - 6:06 a.m.

Cross-Site Request Forgery (CSRF)

2023-12-1806:06:37

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site request forgery

vulnerability

htmlresource

jenkins

file system

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.0%

JSON

htmlresource is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists because the library does not require POST requests for an HTTP endpoint, which allows an attacker to delete arbitrary files on the Jenkins controller file system

CPENameOperatorVersion
htmlresourceeq1.02
htmlresourceeq1.02

CPE	Name	Operator	Version
	htmlresource	eq	1.02
	htmlresource	eq	1.02

References

www.openwall.com/lists/oss-security/2023/12/13/4

github.com/advisories/GHSA-7ccg-jm7j-4f8v

www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3183

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

24.0%

JSON

Related for VERACODE:44703