Cross-Site Request Forgery (CSRF) Affecting com.alauda.jenkins.plugins:alauda-devops-pipeline Open this link in a new tab package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
20 Dec 2019
17 Dec 2019
Viktor Gazdag NCC Group
How to fix?
There is no fixed version for
com.alauda.jenkins.plugins:alauda-devops-pipeline is a plugin for Jenkins
Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). The plugin does not perform permission checks on a method implementing form validation. This allows users with Overall/Read access to Jenkins to connect to Kubernetes-related paths on an attacker-specified web server using attacker-specified credentials IDs obtained through another method, capturing token credentials managed by Alauda DevOps Pipeline Plugin.
Additionally, the form validation method does not require POST requests, resulting in a CSRF vulnerability.