Jenkins GitHub Branch Source Plugin vulnerable to Server-Side Request Forgery

A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 23.5, this form validation method requires POST requests and the Overall/Administer permission.

References

Published by the National Vulnerability Database Jun 5, 2018

Published to the GitHub Advisory Database May 14, 2022

Reviewed Dec 12, 2022

Last updated Dec 18, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code