Cross-site Request Forgery (CSRF) Affecting org.jenkins-ci.plugins:dependency-track package, versions [,3.1.1)


0.0
medium

Snyk CVSS

    Attack Complexity High

    Threat Intelligence

    EPSS 0.07% (27th percentile)
Expand this section
NVD
6.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-1089850
  • published 31 Mar 2021
  • disclosed 31 Mar 2021
  • credit Justin Philip

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

org.jenkins-ci.plugins:dependency-track is a plugin that aids in publishing CycloneDX and SPDX Software Bill-of-Materials (SBOM) to the Dependency-Track platform

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It does not perform permission checks in several HTTP endpoints.This allows attackers with overall/read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing secret text credentials stored in Jenkins. If no credentials ID is specified, the globally configured credential is used, if set up, and can likewise be captured. Additionally, these HTTP endpoints do not require POST requests.

NOTE: This vulnerability has also been identified as: CVE-2021-21633