CVE-2019-1003008 – io.jenkins.plugins:warnings-ng

Package

Manager: maven
Name: io.jenkins.plugins:warnings-ng
Vulnerable Version: >=0 <=2.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00067 pctl0.21067

Details

Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins controller by applying AST transforming annotations such as `@Grab` to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.

Metadata

Created: 2022-05-13T01:31:35Z
Modified: 2023-10-25T23:03:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-whf8-3h58-2w9f/GHSA-whf8-3h58-2w9f.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-whf8-3h58-2w9f
Finding: F007
Auto approve: 1