PT-2021-14684 · Jenkins · Jenkins Promoted Builds Plugin+1
Daniel Beck
+1
·
Published
2021-04-07
·
Updated
2023-11-30
·
CVE-2021-21641
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins promoted builds Plugin versions 3.9 and earlier
Description
A cross-site request forgery (CSRF) vulnerability allows attackers to promote builds. This issue arises because the plugin does not require POST requests for HTTP endpoints implementing promotion, resulting in CSRF vulnerabilities. A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability.
Recommendations
For Jenkins promoted builds Plugin versions 3.9 and earlier, update to version 3.9.1 or later, which requires POST requests for the affected HTTP endpoints.
As a temporary workaround, consider restricting access to the HTTP endpoints implementing promotion to minimize the risk of exploitation.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Promoted Builds Plugin