Cross-Site Request Forgery (CSRF) Affecting com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger package, versions [,2.30.2)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
20 Dec 2019
17 Dec 2019
Alex Earl (@alexcearl), Marvell Semiconductor, Inc.
How to fix?
com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger to version 2.30.2 or higher.
com.sonyericsson.hudson.plugins.gerrit:gerrit-trigger is a that integrates Jenkins to Gerrit code review for triggering builds when a "patch set" is created
Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). Does not perform permission checks in methods performing form validation. This allows users with Overall/Read access to perform connection tests, connecting to an HTTP URL or SSH server using attacker-specified credentials, or determine whether files with an attacker-specified path exist on the Jenkins master file system.
Additionally, these form validation methods do not require POST requests, resulting in a CSRF vulnerability.