Cross-site Request Forgery (CSRF)

Affecting org.jvnet.hudson.plugins:monitoring artifact, versions [,1.75)

Do your applications use this vulnerable package? Test your applications

Overview

org.jvnet.hudson.plugins:monitoring is a None

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). An attacker may kill threads running on the Jenkins master which can lead to denial of service. NOTE: Monitoring Plugin does not take into account configuration changes applied after Jenkins startup or after Monitoring Plugin finishes loading. Administrators need to restart Jenkins when enabling or disabling the CSRF protection configuration to apply the change to Monitoring Plugin.

Remediation

Upgrade org.jvnet.hudson.plugins:monitoring to version 1.75 or higher.

References

CVSS Score

4.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Credit
Daniel Beck, CloudBees, Inc.
CVE
CVE-2019-1003022
CWE
CWE-352
Snyk ID
SNYK-JAVA-ORGJVNETHUDSONPLUGINS-173674
Disclosed
06 Feb, 2019
Published
06 Feb, 2019