logo

Database

Server-side request forgery (SSRF) In org.jenkins-ci.plugins:github-branch-source

Description

Jenkins GitHub Branch Source Plugin vulnerable to Server-Side Request Forgery A server-side request forgery vulnerability exists in Jenkins GitHub Branch Source Plugin 2.3.4 and older in Endpoint.java that allows attackers with Overall/Read access to cause Jenkins to send a GET request to a specified URL. Additionally, this form validation method did not require POST requests, resulting in a CSRF vulnerability. As of version 23.5, this form validation method requires POST requests and the Overall/Administer permission.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2018-10001852. NVD-2018-10001853. OSV-2018-10001854. GCVE-2018-1000185

References

1. https://github.com/jenkinsci/github-branch-source-plugin/commit/22d3383002274bc3f4368534eba2b5c852e78b392. https://jenkins.io/security/advisory/2018-06-04/#SECURITY-806

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.