CVE-2017-1000090
published 2017-10-05CVE-2017-1000090: Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks…
high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | build_step_plugin | — | — |
| jenkins | credentials_plugin | — | — |
| jenkins | docker_commons_plugin | — | — |
| jenkins | git_plugin | — | — |
| jenkins | github_branch_source_plugin | — | — |
| jenkins | groovy_plugin | — | — |
| jenkins | ids_in_docker_commons_plugin | — | — |
| jenkins | ids_in_github_branch_source_plugin | — | — |
| jenkins | parameterized_trigger_plugin | — | — |
| jenkins | periodic_backup_plugin | — | — |
| jenkins | plugins_like_authorize_project_plugin | — | — |
| jenkins | poll_scm_plugin | — | — |
| jenkins | role-based_authorization_strategy | <= 2.5.0 | — |
| jenkins | role-based_authorization_strategy_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | sidebar_link_plugin | — | — |
| jenkins | ssh_plugin | — | — |
| jenkins | subversion_plugin | — | — |