1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2177

[JENKINS:SECURITY-2177] CSRF vulnerability and missing permission checks in `dbCharts`

Severity Medium
Affected Packages 2
CVEs 2
Info Packages References Vulnerabilities

dbCharts 0.5.2 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials.

Additionally, this method allows attackers to determine whether a class is available on the Jenkins controller's class path through error messages.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/dbCharts <= 0.5.2
pkg:github/jenkinsci/dbcharts-plugin <= 0.5.2
ID
JENKINS:SECURITY-2177
Severity
medium
Published
2022-02-15T00:00:00
(2 years ago)
Modified
2022-02-15T00:00:00
(2 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository dbCharts repository https://github.com/jenkinsci/dbCharts-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/dbCharts org.jenkins-ci.plugins dbCharts <= 0.5.2
Affected pkg:github/jenkinsci/dbcharts-plugin jenkinsci dbcharts-plugin <= 0.5.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date