Cross-Site Request Forgery Vulnerability in Jenkins Convert To Pipeline Plugin
CVE-2023-28676

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Convert To Pipeline Plugin
Vendor: CVE Published:; 2 April 2023

What is CVE-2023-28676?

The Jenkins Convert To Pipeline Plugin is vulnerable to a cross-site request forgery (CSRF) flaw that allows an attacker to create a Pipeline from an existing Freestyle project. By exploiting this weakness, an attacker could potentially trigger remote code execution (RCE), compromising the integrity and security of the affected Jenkins environment. This vulnerability affects versions 1.0 and earlier, necessitating prompt updates to mitigate risks.

Affected Version(s)

Jenkins Convert To Pipeline Plugin 0 <= 1.0

References

https://www.jenkins.io/security/advisory/2023-03-21/#SECU...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2023
Vulnerability Reserved
Mar 20, 2023