Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05OThtLWYyeDMtampxNM4AAoNt
CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files
Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.
This is due to an incomplete fix of SECURITY-938.
Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.
Permalink: https://github.com/advisories/GHSA-998m-f2x3-jjq4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05OThtLWYyeDMtampxNM4AAoNt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Identifiers: GHSA-998m-f2x3-jjq4, CVE-2021-21644
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21644
- https://www.jenkins.io/security/advisory/2021-04-21/#SECURITY-2202
- http://www.openwall.com/lists/oss-security/2021/04/21/2
- https://github.com/jenkinsci/config-file-provider-plugin/commit/9ffc32379477c4395ab17ff19b04b9f1286ceedb
- https://github.com/advisories/GHSA-998m-f2x3-jjq4
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:config-file-provider
Affected Version Ranges: <= 3.7.0Fixed in: 3.7.1