CVE-2021-21617 – org.jenkins-ci.plugins:configurationslicing

Package

Manager: maven
Name: org.jenkins-ci.plugins:configurationslicing
Vulnerable Version: >=0 <1.52

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00074 pctl0.23059

Details

CSRF vulnerability in Jenkins Configuration Slicing Plugin Jenkins Configuration Slicing Plugin 1.51 and earlier does not require POST requests for the form submission endpoint reconfiguring slices, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to apply different slice configurations to attacker-specified jobs. Jenkins Configuration Slicing Plugin 1.52 requires POST requests for the affected HTTP endpoint.

Metadata

Created: 2022-05-24T17:43:00Z
Modified: 2023-10-27T13:41:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-42mm-x828-56c7/GHSA-42mm-x828-56c7.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-42mm-x828-56c7
Finding: F007
Auto approve: 1