GHSA-998m-f2x3-jjq4

Source

https://github.com/advisories/GHSA-998m-f2x3-jjq4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-998m-f2x3-jjq4/GHSA-998m-f2x3-jjq4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-998m-f2x3-jjq4

Aliases

CVE-2021-21644

Published

2022-05-24T17:48:05Z

Modified

2024-02-16T08:09:57.507133Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator

Summary

CSRF vulnerability in Jenkins Config File Provider Plugin allows deleting configuration files

Details

Jenkins Config File Provider Plugin 3.7.0 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to delete configuration files corresponding to an attacker-specified ID.

This is due to an incomplete fix of SECURITY-938.

Jenkins Config File Provider Plugin 3.7.1 requires POST requests for the affected HTTP endpoint.

References

Affected packages

Maven / org.jenkins-ci.plugins:config-file-provider

Package

Name: org.jenkins-ci.plugins:config-file-provider; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/config-file-provider

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.7.1

Affected versions

1.*

1.0

1.1

1.2

1.5

1.6.1

1.9.1

2.*

2.0

2.1

2.1.1

2.2.1

2.3

2.4

2.5

2.5.1

2.6

2.6.1

2.6.2

2.7

2.7.1

2.7.4

2.7.5

2.8.1

2.9.2

2.9.3

2.10.0

2.10.1

2.11

2.13

2.14-beta

2.14.1-beta

2.14.2-beta

2.15

2.15.1

2.15.2-beta

2.15.3-beta

2.15.3

2.15.4

2.15.5

2.15.6

2.15.7

2.16.0

2.16.1

2.16.2

2.16.3

2.16.4

2.17

2.18

3.*

3.0

3.1

3.2

3.3

3.4

3.4.1

3.5

3.6

3.6.2

3.6.3

3.7.0

Database specific

{
    "last_known_affected_version_range": "<= 3.7.0"
}