Cross-Site Request Forgery in Jenkins Zephyr Enterprise Test Management Plugin
CVE-2019-1003084

6.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Zephyr Enterprise Test Management Plugin
Vendor
CVE Published:
4 April 2019

Summary

The Jenkins Zephyr Enterprise Test Management Plugin contains a cross-site request forgery (CSRF) vulnerability in the ZeeDescriptor#doTestConnection method. This flaw allows an attacker to trick a user into making unwanted requests to an attacker-specified server, potentially facilitating unauthorized actions on behalf of the victim. Proper validation and CSRF protection measures are essential to mitigate the risk associated with this vulnerability.

Affected Version(s)

Jenkins Zephyr Enterprise Test Management Plugin all versions as of 2019-04-03

References

http://www.securityfocus.com/bid/107790
vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2019/04/12/2
mailing-listx_refsource_MLIST
https://jenkins.io/security/advisory/2019-04-03/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.