Cross-site Request Forgery (CSRF) Affecting org.jenkins-ci.plugins:dependency-track package, versions [,3.1.1)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-1089850
- published 31 Mar 2021
- disclosed 31 Mar 2021
- credit Justin Philip
Introduced: 31 Mar 2021
CVE-2021-21632 Open this link in a new tabHow to fix?
A fix was pushed into the master
branch but not yet published.
Overview
org.jenkins-ci.plugins:dependency-track is a plugin that aids in publishing CycloneDX and SPDX Software Bill-of-Materials (SBOM) to the Dependency-Track platform
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It does not perform permission checks in several HTTP endpoints.This allows attackers with overall/read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing secret text
credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured.
Additionally, these HTTP endpoints do not require POST
requests.
NOTE: This vulnerability has also been identified as: CVE-2021-21633