Description

A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/12/17/1

https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1681

Related Vulnerabilities

CVE-2018-16487 Vulnerability in npm package lodash._basemerge

CVE-2019-10773 Vulnerability in npm package yarn

CVE-2020-13822 Vulnerability in maven package org.webjars.npm:elliptic

CVE-2019-10246 Vulnerability in maven package org.eclipse.jetty:jetty-util

CVE-2019-1003029 Vulnerability in maven package org.jenkins-ci.plugins:script-security

Severity

Critical

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory