1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1094

[JENKINS:SECURITY-1094] CSRF vulnerability in `cvs`

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

cvs 2.15 and earlier does not require POST requests in several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
This allows attackers to create and manipulate tags, and to connect to an attacker-specified URL.

cvs 2.16 now requires POST requests for the affected HTTP endpoints.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/cvs <= 2.15
pkg:github/jenkinsci/cvs-plugin <= 2.15
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/cvs = 2.16
pkg:github/jenkinsci/cvs-plugin = 2.16
ID
JENKINS:SECURITY-1094
Severity
medium
Published
2020-05-06T00:00:00
(4 years ago)
Modified
2020-05-06T00:00:00
(4 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository cvs repository https://github.com/jenkinsci/cvs-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/cvs org.jenkins-ci.plugins cvs <= 2.15
Fixed pkg:maven/org.jenkins-ci.plugins/cvs org.jenkins-ci.plugins cvs = 2.16
Affected pkg:github/jenkinsci/cvs-plugin jenkinsci cvs-plugin <= 2.15
Fixed pkg:github/jenkinsci/cvs-plugin jenkinsci cvs-plugin = 2.16
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date