Jenkins Jianliao Notification Plugin Missing Authorization vulnerability

Jenkins Jianliao Notification Plugin 1.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to send HTTP POST requests to an attacker-specified URL.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Published by the National Vulnerability Database Jun 23, 2022

Published to the GitHub Advisory Database Jun 24, 2022

Reviewed Jul 5, 2022

Last updated Oct 27, 2023

Provide feedback