Cross-Site Request Forgery in the Jenkins Claim plugin

2021-06-1617:29:43

Google

osv.dev

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.8%

JSON

Jenkins Claim Plugin 2.18.1 and earlier does not require POST requests for the form submission endpoint assigning claims, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to change claims.

Jenkins Claim Plugin 2.18.2 requires POST requests for the affected HTTP endpoint.

CPENameOperatorVersion
org.jenkins-ci.plugins:claimeq2.11
org.jenkins-ci.plugins:claimeq2.1
org.jenkins-ci.plugins:claimeq2.10
org.jenkins-ci.plugins:claimeq2.8
org.jenkins-ci.plugins:claimeq2.14.1
org.jenkins-ci.plugins:claimeq2.13.1
org.jenkins-ci.plugins:claimeq2.9
org.jenkins-ci.plugins:claimeq2.14
org.jenkins-ci.plugins:claimeq2.18
org.jenkins-ci.plugins:claimeq2.18.1

Name	Operator	Version
org.jenkins-ci.plugins:claim	eq	2.11
org.jenkins-ci.plugins:claim	eq	2.1
org.jenkins-ci.plugins:claim	eq	2.10
org.jenkins-ci.plugins:claim	eq	2.8
org.jenkins-ci.plugins:claim	eq	2.14.1
org.jenkins-ci.plugins:claim	eq	2.13.1
org.jenkins-ci.plugins:claim	eq	2.9
org.jenkins-ci.plugins:claim	eq	2.14
org.jenkins-ci.plugins:claim	eq	2.18
org.jenkins-ci.plugins:claim	eq	2.18.1