Cross-Site Request Forgery in Jenkins Build Failure Analyzer Plugin
CVE-2019-16553

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Build Failure Analyzer Plugin
Vendor: CVE Published:; 17 December 2019

Summary

A cross-site request forgery vulnerability exists in the Jenkins Build Failure Analyzer Plugin versions up to 1.24.1. This vulnerability could be exploited by attackers to trick Jenkins into evaluating a computationally intensive regular expression without the user's awareness, potentially leading to resource exhaustion or unexpected behavior. Mitigating this vulnerability is essential to maintain the integrity and performance of Jenkins environments.

Affected Version(s)

Jenkins Build Failure Analyzer Plugin <= 1.24.1

References

https://jenkins.io/security/advisory/2019-12-17/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2019/12/17/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 17, 2019
Vulnerability Reserved
Sep 20, 2019