1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2327

[JENKINS:SECURITY-2327] CSRF vulnerability and missing permission checks in `p4`

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 2
Info Packages References Vulnerabilities

p4 1.11.4 and earlier does not perform permission checks in multiple HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an attacker-specified Perforce server using attacker-specified username and password.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

p4 1.11.5 requires POST requests and Overall/Administer for the affected HTTP endpoints.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/p4 <= 1.11.4
pkg:github/jenkinsci/p4-plugin <= 1.11.4
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/p4 = 1.11.5
pkg:github/jenkinsci/p4-plugin = 1.11.5
ID
JENKINS:SECURITY-2327
Severity
medium
Published
2021-05-11T00:00:00
(3 years ago)
Modified
2021-05-11T00:00:00
(3 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository p4 repository https://github.com/jenkinsci/p4-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/p4 org.jenkins-ci.plugins p4 <= 1.11.4
Fixed pkg:maven/org.jenkins-ci.plugins/p4 org.jenkins-ci.plugins p4 = 1.11.5
Affected pkg:github/jenkinsci/p4-plugin jenkinsci p4-plugin <= 1.11.4
Fixed pkg:github/jenkinsci/p4-plugin jenkinsci p4-plugin = 1.11.5
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date