[JENKINS:SECURITY-1153] Monitoring Plugin did not apply CSRF protection even if enabled in Jenkins
Severity
Medium
Affected Packages
2
Fixed Packages
2
CVEs
1
Monitoring Plugin provides a standalone JavaMelody servlet with an independent CSRF protection configuration.
Even if Jenkins had CSRF protection enabled, Monitoring Plugin may not have it enabled.
Monitoring Plugin now checks on startup whether Jenkins has CSRF protection enabled and enables its own CSRF protection accordingly.
NOTE: Monitoring Plugin does not take into account configuration changes applied after Jenkins startup or after Monitoring Plugin finishes loading.
Administrators need to restart Jenkins when enabling or disabling the CSRF protection configuration to apply the change to Monitoring Plugin.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/monitoring | <= 1.74.0 |
pkg:github/jenkinsci/monitoring-plugin | <= 1.74.0 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/monitoring | = 1.75.0 |
pkg:github/jenkinsci/monitoring-plugin | = 1.75.0 |
- ID
- JENKINS:SECURITY-1153
- Severity
- medium
- Published
-
2019-01-28T00:00:00
(5 years ago) - Modified
-
2019-01-28T00:00:00
(5 years ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | monitoring repository | https://github.com/jenkinsci/monitoring-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/monitoring | org.jenkins-ci.plugins | monitoring | <= 1.74.0 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/monitoring | org.jenkins-ci.plugins | monitoring | = 1.75.0 | |||
Affected | pkg:github/jenkinsci/monitoring-plugin | jenkinsci | monitoring-plugin | <= 1.74.0 | |||
Fixed | pkg:github/jenkinsci/monitoring-plugin | jenkinsci | monitoring-plugin | = 1.75.0 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |