Cross-Site Request Forgery in Jenkins Chef Sinatra Plugin
CVE-2019-1003086
6.5MEDIUM
Summary
A cross-site request forgery vulnerability exists in the Jenkins Chef Sinatra Plugin which allows attackers to execute unauthorized commands. Specifically, the flaw emerges in the form validation method of ChefBuilderConfiguration.DescriptorImpl#doTestConnection, enabling attackers to redirect requests to a server of their choosing. This could potentially lead to unauthorized access and elevated privileges, necessitating immediate attention to mitigate associated risks.
Affected Version(s)
Jenkins Chef Sinatra Plugin all versions as of 2019-04-03
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved