Cross-site Request Forgery (CSRF)
Affecting org.jenkins-ci.plugins:crx-content-package-deployer artifact, versions [,1.9)Report new vulnerabilities
org.jenkins-ci.plugins:crx-content-package-deployer is a Jenkins plugin that Deploys content packages to Adobe CRX applications, like Adobe CQ/AEM.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. In addition, the form validation method did not require POST requests, resulting in a CSRF vulnerability.
org.jenkins-ci.plugins:crx-content-package-deployer to version 1.9 or higher.