PT-2024-1421 · Jenkins+1 · Jenkins Gitlab Branch Source Plugin+2
Kevin Guerroudj
·
Published
2024-01-24
·
Updated
2024-04-11
·
CVE-2024-23902
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins GitLab Branch Source Plugin versions 684.vea fa 7c1e2fe3 and earlier
Description
The issue is related to a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to connect to an attacker-specified URL. The vulnerability is caused by the plugin not requiring POST requests for a form validation endpoint.
Recommendations
For Jenkins GitLab Branch Source Plugin versions 684.vea fa 7c1e2fe3 and earlier, update to a version that requires POST requests for the affected form validation endpoint, such as GitLab Branch Source Plugin 688.v5fa 356ee8520. As a temporary workaround, consider restricting access to the form validation endpoint to minimize the risk of exploitation.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Gitlab Branch Source Plugin
Red Os