Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xNTY0LXZ2eDgtOTM4OM4AAmCg
CSRF vulnerability in Jenkins warnings Plugin allows remote code execution
warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to execute arbitrary code.
warnings Plugin 5.0.2 requires POST requests for the affected form validation method.
This vulnerability was caused by an incomplete fix to SECURITY-1295.
Permalink: https://github.com/advisories/GHSA-q564-vvx8-9388JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xNTY0LXZ2eDgtOTM4OM4AAmCg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 4 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Identifiers: GHSA-q564-vvx8-9388, CVE-2020-2280
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2280
- https://www.jenkins.io/security/advisory/2020-09-23/#SECURITY-2042
- http://www.openwall.com/lists/oss-security/2020/09/23/1
- https://github.com/advisories/GHSA-q564-vvx8-9388
Affected Packages
maven:org.jvnet.hudson.plugins:warnings
Versions: <= 5.0.1Fixed in: 5.0.2