PT-2020-15299 · Cloudbees+1 · Health Advisor+1
Wadeck Follonier
·
Published
2020-01-15
·
Updated
2023-10-25
·
CVE-2020-2093
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Health Advisor by CloudBees Plugin versions 3.0 and earlier
Description
A cross-site request forgery issue allows attackers to send an email with fixed content to a specified recipient. The problem arises because the plugin does not perform permission checks in methods performing form validation, allowing users with Overall/Read access to send emails. Furthermore, these form validation methods do not require POST requests, resulting in the CSRF issue.
Recommendations
For Health Advisor by CloudBees Plugin versions 3.0 and earlier, update to version 3.0.1 or later, which requires POST requests and Overall/Administer permission for the affected form validation methods, thus mitigating the issue.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Health Advisor
Jenkins