Cross-site Request Forgery (CSRF)
Affecting org.jenkins-ci.plugins:dependency-track artifact, versions [,3.1.1)Report new vulnerabilities
org.jenkins-ci.plugins:dependency-track is a plugin that aids in publishing CycloneDX and SPDX Software Bill-of-Materials (SBOM) to the Dependency-Track platform
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It does not perform permission checks in several HTTP endpoints.This allows attackers with overall/read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing
secret text credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured.
Additionally, these HTTP endpoints do not require
A fix was pushed into the
master branch but not yet published.