CVE-2018-1000185

Name of the Vulnerable Software and Affected Versions Jenkins GitHub Branch Source Plugin versions 2.3.4 and older

Description A server-side request forgery issue exists in the Endpoint.java file, allowing attackers with Overall/Read access to cause the system to send a GET request to a specified URL. Additionally, a CSRF vulnerability is present due to a form validation method not requiring POST requests. This method now requires POST requests and the Overall/Administer permission as of version 23.5.

Recommendations For Jenkins GitHub Branch Source Plugin versions 2.3.4 and older, update to version 23.5 or newer to resolve the issue. As a temporary workaround, consider restricting access to the Endpoint.java file to minimize the risk of exploitation. Restrict the Overall/Read access to prevent attackers from causing the system to send unauthorized GET requests.