GHSA-4vqp-pcm3-73xp

Source

https://github.com/advisories/GHSA-4vqp-pcm3-73xp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-4vqp-pcm3-73xp/GHSA-4vqp-pcm3-73xp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4vqp-pcm3-73xp

Aliases

CVE-2023-40336

Published

2023-08-16T15:30:17Z

Modified

2024-02-16T08:23:33.059006Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Jenkins Folders Plugin cross-site request forgery vulnerability

Details

Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts.

Folders Plugin 6.848.ve3bfd7839a81 requires POST requests for the affected HTTP endpoint.

Database specific

{
    "nvd_published_at": "2023-08-16T15:15:11Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-16T21:14:11Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:cloudbees-folder

Package

Name: org.jenkins-ci.plugins:cloudbees-folder; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/cloudbees-folder

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.848.ve3b

Affected versions

4.*

4.0

4.0.1

4.1

4.2

4.2.1

4.2.2

4.2.3

4.3

4.4

4.5

4.6

4.6.1

4.7

4.8

4.9

4.10

4.11-beta-1

5.*

5.0

5.1-beta-1

5.1-beta-2

5.1

5.2

5.2.1

5.2.2

5.3

5.4

5.5

5.6

5.7

5.8

5.9

5.10

5.11

5.12

5.13

5.14

5.15

5.16

5.17-beta-1

5.17

5.18

6.*

6.0.0

6.0.1

6.0.2

6.0.3

6.0.4

6.1.0

6.1.1

6.1.2

6.2.0

6.2.1

6.3

6.4

6.5

6.5.1

6.6

6.7

6.8

6.9

6.10.0

6.10.1

6.11

6.11.1

6.12

6.13

6.14

6.15

6.16

6.17

6.18

6.688.vfc7a_a_69059e0

6.708.ve61636eb_65a_5

6.714.v79e858ef76a_2

6.722.v8165b_a_cf25e9

6.729.v2b_9d1a_74d673

6.736.v5f554b_b_a_52b_3

6.740.ve4f4ffa_dea_54

6.758.vfd75d09eea_a_1

6.766.v6df9a_0e638ef

6.770.ve57b_a_fb_6a_67c

6.773.vd2dcc704ee7e

6.784.vc60058fa_f269

6.792.v495e640810da

6.795.v3e23d3c6f194

6.797.v8df9950d783b

6.800.v71307ca_b_986b

6.815.v0dd5a_cb_40e0e

6.846.v23698686f0f6