Cross-site Request Forgery (CSRF)

Affecting org.jenkins-ci.plugins:slack artifact, versions [,2.20)

Do your applications use this vulnerable package? Test your applications

Overview

org.jenkins-ci.plugins:slack is a jenkins plugin for posting notifications to a Slack channel.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Remediation

Upgrade org.jenkins-ci.plugins:slack to version 2.20 or higher.

References

CVSS Score

4.2
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Credit
Viktor Gazdag
CVE
CVE-2019-1003043 CVE-2019-1003044
CWE
CWE-352
Snyk ID
SNYK-JAVA-ORGJENKINSCIPLUGINS-174032
Disclosed
28 Mar, 2019
Published
28 Mar, 2019