CVE-2019-10307

Name of the Vulnerable Software and Affected Versions Jenkins Static Analysis Utilities Plugin version 1.95 and earlier Jenkins analysis-core Plugin (affected versions not specified)

Description A cross-site request forgery issue exists due to the lack of permission checks and the acceptance of non-POST requests in the configuration form handler method. This allows attackers with Job/Read access to change the per-job default graph configuration for all users. The issue is related to the DefaultGraphConfigurationView#doSave form handler method and the configuration form for the default settings of each graph.

Recommendations For Jenkins Static Analysis Utilities Plugin version 1.95 and earlier: update to a version that requires Job/Configure permission and POST requests to configure the per-job graph defaults for all users. For Jenkins analysis-core Plugin: ensure that the plugin is configured to require Job/Configure permission and only accept POST requests for configuring the per-job graph defaults. As a temporary workaround, consider restricting access to the configuration form for the default settings of each graph until a patch is available.