1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1091

[JENKINS:SECURITY-1091] CSRF vulnerability and missing permission check in `jenkins-reviewbot` allow SSRF

Severity Medium
Affected Packages 2
CVEs 1
Info Packages References Vulnerabilities

A missing permission check in a form validation method in jenkins-reviewbot allows users with Overall/Read permission to initiate a connection test to an attacker-specified URL with attacker-specified credentials.

Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/jenkins-reviewbot <= 2.4.6
pkg:github/jenkinsci/jenkins-reviewbot-plugin <= 2.4.6
ID
JENKINS:SECURITY-1091
Severity
medium
Published
2019-04-03T00:00:00
(5 years ago)
Modified
2019-04-03T00:00:00
(5 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository jenkins-reviewbot repository https://github.com/jenkinsci/jenkins-reviewbot-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/jenkins-reviewbot org.jenkins-ci.plugins jenkins-reviewbot <= 2.4.6
Affected pkg:github/jenkinsci/jenkins-reviewbot-plugin jenkinsci jenkins-reviewbot-plugin <= 2.4.6
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date