GHSA-x77r-7m5w-pqq2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x77r-7m5w-pqq2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x77r-7m5w-pqq2/GHSA-x77r-7m5w-pqq2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x77r-7m5w-pqq2
- Aliases
- Published
- 2022-05-24T19:12:36Z
- Modified
- 2024-02-16T08:19:48.084034Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Jenkins Azure AD Plugin allows bypassing CSRF protection for any URL
- Details
-
An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Jenkins Azure AD Plugin implements this extension point for URLs used by a JavaScript component.
In Jenkins Azure AD Plugin 179.vf6841393099e and earlier this implementation is too permissive, allowing attackers to craft URLs that would bypass the CSRF protection of any target URL.
This vulnerability was originally introduced in Azure AD Plugin 164.v5b48baa961d2.
Azure AD Plugin 180.v8b1e80e6f242 no longer allows bypassing CSRF protection for URLs used by the JavaScript component. Instead, that component was reconfigured to pass the expected CSRF token.
- Database specific
{ "nvd_published_at": "2021-08-31T14:15:00Z", "cwe_ids": [ "CWE-352", "CWE-693" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-12-15T16:31:38Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-21679
- https://github.com/jenkinsci/azure-ad-plugin/commit/8b1e80e6f242275127ebb177e2a755a2104b4853
- https://github.com/jenkinsci/azure-ad-plugin
- https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2470
- http://www.openwall.com/lists/oss-security/2021/08/31/1
Affected packages
Maven / org.jenkins-ci.plugins:azure-ad
Package
- Name
- org.jenkins-ci.plugins:azure-ad
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/azure-ad
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed180.v8b1e80e6f242
Affected versions
0.*
0.1.1
0.1.1-1
0.2.0
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
146.*
146.vb688d1511c38
150.*
150.vb3db9f880321
152.*
152.v1609ed460604
153.*
153.v7af57b288088
154.*
154.v12e17a5f9ea3
155.*
155.v745ce80af7ea
157.*
157.v2d3d5782a602
158.*
158.v437429002c6b
164.*
164.v5b48baa961d2
165.*
165.v36344b7d7ca7
167.*
167.v34c2c5a3a030
168.*
168.ve6e7e368dbf6
170.*
170.v0a6219442a99
171.*
171.v9ef20c94d336
172.*
172.vf6a517c3329a
173.*
173.v0a210fffb510
174.*
174.vc2d906355813
175.*
175.v5513346d764a
177.*
177.v80b6c1591bf9
178.*
178.v7b93892fbe4c
179.*
179.vf6841393099e