This issue occurs when the victim has installed the plugin on a Jenkins instance. Attackers can exploit this by tricking a victim into visiting an attacker-specified URL. When a victim visits an attacker-specified URL, an authentication request is sent to the Jenkins instance, and the attacker can now connect to the Jenkins instance and perform actions as if the attacker were the victim. This can be leveraged to access Jenkins or perform other actions as the Jenkins user. This issue affects plugins that listen for HTTP POST requests.
Misc - CVE-2019-5351 Jenkins versions prior to 3.3.3 and 2.x prior to 2.121 are vulnerable to cross-site request forgery (CSRF) due to a missing authorization check. An attacker can craft a malicious URL and send it to a victim, who then connects to the Jenkins instance as the attacker. The attacker can then perform actions as though the Jenkins user. This can be leveraged to access Jenkins or perform other actions as the Jenkins user. This issue affects plugins that listen for HTTP POST requests.
In order to mitigate this issue, upgrade to Jenkins version 3.3.3. Alternatively, you can disable the following URL in the HTTP Host header of the plugin configuration file:
nowiki>https://{jenkins_env_url}//nowiki>
CVE - 2019-5352 Jenkins versions prior to 3.3.3 and 2.x prior to 2.121
Description of the issue
Jenkins versions prior to 3.3.3 and 2.x prior to 2.121 are vulnerable to cross-site request forgery (CSRF) due to a missing authorization check. An attacker can craft a malicious URL and send it to a victim, who then connects to the Jenkins instance as the attacker. The attacker can then perform actions as though the Jenkins user. This can be leveraged to access Jenkins or perform other actions as the Jenkins user. This issue affects plugins that listen for HTTP POST requests.
In order to mitigate this issue, upgrade to Jenkins version 3.3.3 or disable the following URL in the HTTP Host header of the plugin configuration file:
nowiki>https://{jenkins_env_url}//nowiki>
A meta blog post that includes all blog posts related to SEO
Instance-specific configuration option default value for the target url
In order to mitigate this issue, upgrade to Jenkins version 3.3.3 or 2.x prior to 2.121 and set the following configuration option in your plugin configuration file:
nowiki>https://{jenkins_env_url}//nowiki>
The web page for the blog post was about a blog post about why companies should outsource their SEO services (the subheading). The author of the blog post discussed that outsourcing SEO involves taking on some of the workload often associated with managing a search-optimized website and what is meant by "in much the same way that companies outsource their marketing efforts to experts."
Summary of Risk:
Jenkins versions prior to 3.3.3 and 2.x prior to 2.121 are vulnerable to cross-site request forgery (CSRF) due to a missing authorization check. An attacker can craft a malicious URL and send it to a victim, who then connects to the Jenkins instance as the attacker. The attacker can then perform actions as though the Jenkins user. This can be leveraged to access Jenkins or perform other actions as the Jenkins user.
In order to mitigate this issue, upgrade to Jenkins version 3.3.3. Alternatively, you can disable the following URL in the HTTP Host header of the plugin configuration file:
nowiki>https://{jenkins_env_url}//nowiki>
Timeline
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/21/2022 03:18:00 UTC