[MAVEN:GHSA-5CXW-8V65-76VF] CSRF vulnerability in Jenkins promoted builds Plugin

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

Jenkins promoted builds Plugin 3.9 and earlier does not require POST requests for HTTP endpoints implementing promotion (regular, forced, and re-execute), resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to promote builds.

Jenkins promoted builds Plugin 3.9.1 requires POST requests for the affected HTTP endpoints.

A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/promoted-builds	<= 3.9

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/promoted-builds	= 3.9.1

ID

MAVEN:GHSA-5CXW-8V65-76VF

Severity

moderate

URL

https://github.com/advisories/GHSA-5cxw-8v65-76vf

Published

2022-05-24T17:46:47
(2 years ago)

Modified

2023-12-15T10:21:40
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-2293

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2021-21641
			https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-2293
			http://www.openwall.com/lists/oss-security/2021/04/07/2
			https://github.com/jenkinsci/promoted-builds-plugin/commit/46086a74891d620042c3d28a19cba3510c5dbf6a
			https://github.com/advisories/GHSA-5cxw-8v65-76vf

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/promoted-builds	org.jenkins-ci.plugins	promoted-builds	<= 3.9
Fixed	pkg:maven/org.jenkins-ci.plugins/promoted-builds	org.jenkins-ci.plugins	promoted-builds	= 3.9.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date