CVE-2017-1000091Cross-Site Request Forgery in Jenkins Github Branch Source

CWE-352Cross-Site Request Forgery5 documents5 sources
Severity
6.3MEDIUMNVD
EPSS
0.1%
top 79.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jenkins Github Branch Source
Timeline
PublishedOct 5
Latest updateMay 17

Description

GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e.g. GitHub Enterprise) as part of form validation and completion (e.g. to verify Scan Credentials are correct). This functionality improperly checked permissions, allowing any user with Overall/Read access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be perf

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages1 packages

NVDjenkins/github_branch_source22 versions+21

🔴Vulnerability Details

3
GHSA
Jenkins GitHub Branch Source Plugin vulnerable to Cross-Site Request Forgery2022-05-17
OSV
Jenkins GitHub Branch Source Plugin vulnerable to Cross-Site Request Forgery2022-05-17
CVEList
CVE-2017-1000091: GitHub Branch Source Plugin connects to a user-specified GitHub API URL (e2017-10-04

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2017-07-102017-07-10
CVE-2017-1000091 — Cross-Site Request Forgery | cvebase