MEDIUM 4.3 Maven
Jenkins GitHub Branch Source Plugin vulnerable to Server-Side Request Forgery
GHSA-9cfq-v2hm-c3xr · CVE-2018-1000185
Published · Modified
Description
A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 23.5, this form validation method requires POST requests and the Overall/Administer permission.
References
Ready to move
Start Securing
Free, no credit card | First findings in minutes