GHSA-2f89-66v2-9p53

Source

https://github.com/advisories/GHSA-2f89-66v2-9p53

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-2f89-66v2-9p53/GHSA-2f89-66v2-9p53.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2f89-66v2-9p53

Aliases

CVE-2023-32980

Published

2023-05-16T18:30:16Z

Modified

2024-02-16T08:12:48.538864Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Jenkins Email Extension Plugin Cross-Site Request Forgery vulnerability

Details

Jenkins Email Extension Plugin 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This allows attackers to make another user stop watching an attacker-specified job.

Email Extension Plugin 2.96.1 requires POST requests for the affected HTTP endpoint.

References

Affected packages

Maven / org.jenkins-ci.plugins:email-ext

Package

Name: org.jenkins-ci.plugins:email-ext; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/email-ext

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.96.1

Affected versions

2.*

2.11

2.12

2.13

2.14

2.14.1

2.15

2.16

2.18

2.19

2.20

2.21

2.22

2.24.1

2.25

2.27

2.27.1

2.28

2.29

2.30

2.30.1

2.30.2

2.31

2.32

2.33

2.34

2.35

2.35.1

2.36

2.37

2.37.1

2.37.2

2.37.2.2

2.38

2.38.1

2.38.2

2.39

2.39.3

2.40-beta

2.40

2.40.1

2.40.2

2.40.3

2.40.4

2.40.5

2.41

2.41.2

2.41.3

2.42

2.43

2.44

2.45

2.46

2.47

2.50

2.51

2.52

2.53

2.54

2.55

2.56

2.57

2.57.1

2.57.2

2.58

2.59

2.60

2.61

2.62

2.62.1

2.63

2.64

2.65

2.66

2.68

2.68.1

2.68.2

2.69

2.69.1

2.69.2

2.71

2.72

2.73

2.74

2.75

2.76

2.77

2.78

2.79

2.80

2.81

2.82

2.83

2.84

2.85

2.86

2.87

2.88

2.89

2.89.0.1

2.89.0.2

2.89.1

2.90

2.91

2.92

2.93

2.93.1

2.94

2.95

2.96