Virsec Security Research Lab Vulnerability Report
The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.
1.1 Vulnerability Summary
Warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to execute arbitrary code.
Warnings Plugin 5.0.2 requires POST requests for the affected form validation method.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base Score is 8.8 (High)
1.3 Affected Version
Jenkins Warnings Plugin 5.0.1 and prior versions.
1.4 Vulnerability Attribution
This vulnerability was a consequence of an incomplete fix for vulnerability in CVE-2019-1003005. It appears to have been found by Jenkins directly.
1.5 Risk Impact
No public exploit code is available, and patch exists. Jenkins is an open source automation server that helps to automate building, testing, and deploying software in the CI/CD pipeline. It is integrated with project management software (JIRA), incident filing tools (Bugzilla), static analysis tools (Veracode), Legal Compliance tools (Black Duck), build tools (Ant, Maven) and version control tools (Subversion, Git). Millions of instances of Jenkins server are in use worldwide.
1.6 Virsec Security Platform (VSP) Support:
VSP-Web capability can detect such a CSRF attack and prevent this attack from being exploited.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.