CVE-2023-40351 – org.jenkins-ci.plugins:favorite-view

Package

Manager: maven
Name: org.jenkins-ci.plugins:favorite-view
Vulnerable Version: >=0 <=5.v77a

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00048 pctl0.1456

Details

Jenkins Favorite View Plugin cross-site request forgery vulnerability Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to add or remove views from another user’s favorite views tab bar. As of publication of this advisory, there is no fix.

Metadata

Created: 2023-08-16T15:30:18Z
Modified: 2023-08-18T14:29:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-jrj6-qx48-3cpq/GHSA-jrj6-qx48-3cpq.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-jrj6-qx48-3cpq
Finding: F007
Auto approve: 1