1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1762

[JENKINS:SECURITY-1762] CSRF vulnerability and missing permission checks in `zephyr-for-jira-test-management`

Severity Medium
Affected Packages 2
CVEs 2
Info Packages References Vulnerabilities

zephyr-for-jira-test-management 1.5 and earlier does not perform a permission check in a method implementing form validation.
This allows users with Overall/Read access to Jenkins to connect to an attacker-specified host using attacker-specified username and password.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/zephyr-for-jira-test-management <= 1.5
pkg:github/jenkinsci/zephyr-for-jira-test-management-plugin <= 1.5
ID
JENKINS:SECURITY-1762
Severity
medium
Published
2020-07-02T00:00:00
(4 years ago)
Modified
2020-07-02T00:00:00
(4 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository zephyr-for-jira-test-management repository https://github.com/jenkinsci/zephyr-for-jira-test-management-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/zephyr-for-jira-test-management org.jenkins-ci.plugins zephyr-for-jira-test-management <= 1.5
Affected pkg:github/jenkinsci/zephyr-for-jira-test-management-plugin jenkinsci zephyr-for-jira-test-management-plugin <= 1.5
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date