PT-2020-15417 · Jenkins · Jenkins Fortify On Demand Plugin+1
Daniel Beck
·
Published
2020-07-02
·
Updated
2023-10-25
·
CVE-2020-2203
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Fortify on Demand Plugin versions 5.0.1 and earlier
Description
A cross-site request forgery issue allows attackers to connect to the globally configured Fortify on Demand endpoint using attacker-specified
credentials IDs. This issue requires appropriate permission in the plugin.Recommendations
For Jenkins Fortify on Demand Plugin versions 5.0.1 and earlier, consider updating to version 6.0.0 or later, which includes the necessary form validation method to prevent this issue.
As a temporary workaround, restrict access to the globally configured Fortify on Demand endpoint to minimize the risk of exploitation.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Fortify On Demand Plugin