An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oN3BmLWg1OHItbXY5M84AAtEA

CSRF vulnerability in Jenkins XebiaLabs XL Release Plugin allow capturing credentials

XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

XebiaLabs XL Release Plugin 22.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 4 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-h7pf-h58r-mv93, CVE-2022-34780

Affected Packages
Versions: <= 22.0.0
Fixed in: 22.0.1