1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2656

[JENKINS:SECURITY-2656] CSRF vulnerability and missing permission check in `google-cloud-backup`

Severity Medium
Affected Packages 2
CVEs 2
Info Packages References Vulnerabilities

google-cloud-backup 0.6 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to request a manual backup.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/google-cloud-backup <= 0.6
pkg:github/jenkinsci/google-cloud-backup-plugin <= 0.6
ID
JENKINS:SECURITY-2656
Severity
medium
Published
2022-07-27T00:00:00
(2 years ago)
Modified
2022-07-27T00:00:00
(2 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository google-cloud-backup repository https://github.com/jenkinsci/google-cloud-backup-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/google-cloud-backup org.jenkins-ci.plugins google-cloud-backup <= 0.6
Affected pkg:github/jenkinsci/google-cloud-backup-plugin jenkinsci google-cloud-backup-plugin <= 0.6
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date