CVE-2021-21641 – org.jenkins-ci.plugins:promoted-builds

Package

Manager: maven
Name: org.jenkins-ci.plugins:promoted-builds
Vulnerable Version: >=0 <3.9.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02526 pctl0.8487

Details

CSRF vulnerability in Jenkins promoted builds Plugin Jenkins promoted builds Plugin 3.9 and earlier does not require POST requests for HTTP endpoints implementing promotion (regular, forced, and re-execute), resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to promote builds. Jenkins promoted builds Plugin 3.9.1 requires POST requests for the affected HTTP endpoints. A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability.

Metadata

Created: 2022-05-24T17:46:47Z
Modified: 2023-10-27T14:01:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5cxw-8v65-76vf/GHSA-5cxw-8v65-76vf.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-5cxw-8v65-76vf
Finding: F007
Auto approve: 1