Jenkins · Jenkins Promoted Builds Plugin · CVE-2021-21641
**Name of the Vulnerable Software and Affected Versions**
Jenkins promoted builds Plugin versions 3.9 and earlier
**Description**
A cross-site request forgery (CSRF) vulnerability allows attackers to promote builds. This issue arises because the plugin does not require POST requests for HTTP endpoints implementing promotion, resulting in CSRF vulnerabilities. A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability.
**Recommendations**
For Jenkins promoted builds Plugin versions 3.9 and earlier, update to version 3.9.1 or later, which requires POST requests for the affected HTTP endpoints.
As a temporary workaround, consider restricting access to the HTTP endpoints implementing promotion to minimize the risk of exploitation.