Description
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.
Remediation
References
https://jenkins.io/security/advisory/2017-07-10/
Related Vulnerabilities
CVE-2020-27223 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2018-20677 Vulnerability in maven package org.webjars.bowergithub.angular-ui:bootstrap
CVE-2017-7957 Vulnerability in maven package org.sonatype.nexus.xstream:xstream
CVE-2021-21606 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2014-7839 Vulnerability in maven package org.jboss.resteasy:resteasy-jaxrs