Cross-site Request Forgery (CSRF) Affecting org.jenkins-ci.plugins:release package, versions [,2.10)

Snyk CVSS

Attack Complexity Low

User Interaction Required

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS 0.08% (33^rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-32165
published 8 Apr 2018
disclosed 21 Dec 2017
credit Jesse Glick

Report a new vulnerability Found a mistake?

Introduced: 21 Dec 2017

CVE-2018-1000013 Open this link in a new tab CWE-352 Open this link in a new tab

Overview

org.jenkins-ci.plugins:release adds the ability to wrap your job with pre- and post- build steps which are only executed when a manual release build is triggered.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It allows attackers to trigger release builds. Attackers were able to trigger release builds.

$$ Remediation Upgrade org.jenkins-ci.plugins:release to version 2.10 or higher.

Cross-site Request Forgery (CSRF) Affecting org.jenkins-ci.plugins:release package, versions [,2.10)

Snyk CVSS

Threat Intelligence

Introduced: 21 Dec 2017

Overview

References