Cross-Site Request Forgery in Jenkins ThreadFix Plugin
CVE-2022-34209

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Threadfix Plugin
Vendor: CVE Published:; 23 June 2022

Summary

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins ThreadFix Plugin, allowing attackers to execute unauthorized commands by sending requests that exploit the trust between the user and the application. This can lead to connections to an attacker-specified URL, posing a significant risk to the integrity and security of Jenkins installations running ThreadFix Plugin versions 1.5.4 and earlier.

Affected Version(s)

Jenkins ThreadFix Plugin <= 1.5.4

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jun 23, 2022
Vulnerability Reserved
Jun 21, 2022