Cross-Site Request Forgery (CSRF) Affecting hudson.plugins.octopusdeploy:octopusdeploy package, versions [,1.9.0)


0.0
medium
  • Attack Complexity

    Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-HUDSONPLUGINSOCTOPUSDEPLOY-173717

  • published

    21 Feb 2019

  • disclosed

    20 Feb 2019

  • credit

    Thomas de Grenier de Latour

How to fix?

Upgrade hudson.plugins.octopusdeploy:octopusdeploy to version 1.9.0 or higher.

Overview

hudson.plugins.octopusdeploy:octopusdeploy helps connecting OctopusDeploy to the Jenkins workflow. Integration with OctopusDeploy is achieved via the REST API, not the Octo.exe tool.

Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF). A missing permission check in a form validation method in OctopusDeploy Plugin allows users with Overall/Read permission to initiate a connection test, sending an HTTP HEAD request to an attacker-specified URL, returning HTTP response code if successful, or exception error message otherwise.