Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability
High severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Oct 25, 2023
Description
Published by the National Vulnerability Database
Feb 6, 2019
Published to the GitHub Advisory Database
May 13, 2022
Last updated
Oct 25, 2023
Reviewed
Oct 25, 2023
Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins controller by applying AST transforming annotations such as
@Grab
to source code elements.The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.
References