Jenkins XebiaLabs XL Deploy Plugin vulnerable to Cross-site request forgery (CSRF)
Moderate severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Dec 13, 2023
Package
Affected versions
< 7.5.5
Patched versions
7.5.5
Description
Published by the National Vulnerability Database
Apr 18, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Oct 26, 2023
Last updated
Dec 13, 2023
A missing permission check in a form validation method in Jenkins XebiaLabs XL Deploy Plugin allows users with Overall/Read permission to initiate a connection test to an attacker-specified server with attacker-specified credentials.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.
References