logo

Database

Cross-site request forgery In org.jenkins-ci.plugins:lucene-search

Description

Jenkins Lucene-Search Plugin vulnerable to Cross-Site Request Forgery Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to reindex the database.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-305292. NVD-2023-305293. OSV-2023-305294. GCVE-2023-30529

References

1. https://github.com/jenkinsci/lucene-search-plugin/commit/828f79fedbe3da08b17937a85b98b5d7f499a8dd2. https://github.com/jenkinsci/lucene-search-plugin/commit/ffd691642b8dda63b55cfc7e73993336554dbcb23. https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-30134. http://www.openwall.com/lists/oss-security/2023/04/13/3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.