GHSA-cpc3-gm2x-mrvp

Source
https://github.com/advisories/GHSA-cpc3-gm2x-mrvp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-cpc3-gm2x-mrvp/GHSA-cpc3-gm2x-mrvp.json
Aliases
  • CVE-2023-33004
Published
2023-05-16T18:30:16Z
Modified
2024-02-16T08:15:45.210388Z
Details

Jenkins Tag Profiler Plugin 0.2 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to reset profiler statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

References

Affected packages

Maven / org.jenkins-ci.plugins:tag-profiler

Package

Name
org.jenkins-ci.plugins:tag-profiler

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Last affected
0.2

Affected versions

0.*

0.1
0.2