Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1obXc2LXI1NDctNDJmcs4AA0qC
Jenkins Pipeline restFul API Plugin vulnerable to Cross Site Request Forgery
Jenkins Pipeline restFul API Plugin 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows impersonating the victim.
Permalink: https://github.com/advisories/GHSA-hmw6-r547-42frJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1obXc2LXI1NDctNDJmcs4AA0qC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 10 months ago
Updated: 6 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-hmw6-r547-42fr, CVE-2023-37957
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-37957
- https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3126
- http://www.openwall.com/lists/oss-security/2023/07/12/2
- https://github.com/advisories/GHSA-hmw6-r547-42fr
Affected Packages
maven:io.jenkins.plugins:pipeline-restful-api
Affected Version Ranges: <= 0.11No known fixed version