Cross-Site Request Forgery in Jenkins
Moderate severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Package
Affected versions
<= 2.107.2
>= 2.108, <= 2.120
Patched versions
2.107.3
2.121
Description
Published by the National Vulnerability Database
Jun 5, 2018
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Jun 30, 2022
Last updated
Jan 27, 2023
A server-side request forgery vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in ZipExtractionInstaller.java that allows users with Overall/Read permission to have Jenkins submit a HTTP GET request to an arbitrary URL and learn whether the response is successful (200) or not.
References