Jenkins Poll SCM Plugin vulnerable to Cross-Site Request Forgery
High severity
GitHub Reviewed
Published
May 17, 2022
to the GitHub Advisory Database
•
Updated Jan 28, 2023
Description
Published by the National Vulnerability Database
Oct 5, 2017
Published to the GitHub Advisory Database
May 17, 2022
Reviewed
Dec 12, 2022
Last updated
Jan 28, 2023
Jenkins Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission. This functionality now is only available via POST.
References