Cross-site Request Forgery (CSRF) Affecting org.jenkins-ci.plugins:subversion package, versions [,2.9)
Threat Intelligence
EPSS
0.06% (29th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-32238
- published 6 May 2018
- disclosed 3 Jun 2017
- credit Unknown
Introduced: 3 Jun 2017
CVE-2017-1000085 Open this link in a new tabHow to fix?
Upgrade org.jenkins-ci.plugins:subversion to version 2.9 or higher.
Overview
org.jenkins-ci.plugins:subversion Provides Jenkins integration with Apache Subversion.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It connects to a user-specified Subversion repository as part of form validation. This functionality improperly checked permissions, allowing any user with Item/Build permission to connect to any web server or Subversion server and send credentials with a known ID, thereby possibly capturing them.
References
CVSS Scores
version 3.1