CSRF vulnerability in Jenkins Xray - Test Management for Jira Plugin allows capturing credentials
High severity
GitHub Reviewed
Published
Jun 16, 2021
to the GitHub Advisory Database
•
Updated Oct 27, 2023
Package
Affected versions
< 2.4.1
Patched versions
2.4.1
Description
Published by the National Vulnerability Database
May 11, 2021
Reviewed
May 19, 2021
Published to the GitHub Advisory Database
Jun 16, 2021
Last updated
Oct 27, 2023
Credits
-
NotMyFault Analyst
Jenkins Xray - Test Management for Jira Plugin 2.4.0 and earlier does not require POST requests for a connection test method, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Jenkins Xray - Test Management for Jira Plugin 2.4.1 requires POST requests for the affected connection test method.
References