CVE-2021-21675

Name of the Vulnerable Software and Affected Versions Jenkins requests-plugin Plugin versions 2.2.12 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to create requests and/or have administrators apply pending requests, such as renaming or deleting jobs, deleting builds, etc. This issue arises because the plugin does not require POST requests to request and apply changes. The vulnerability was partially fixed in version 2.2.8, which required POST requests for some affected HTTP endpoints, but the endpoint allowing administrators to apply pending requests remained unprotected until version 2.2.13.

Recommendations For Jenkins requests-plugin Plugin versions 2.2.12 and earlier, update to version 2.2.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected HTTP endpoints to minimize the risk of exploitation.