CVE-2017-1000093: Cross-Site Request Forgery (CSRF)

October 5, 2017 (updated October 17, 2017)

The Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it’s similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.

References

jenkins.io/security/advisory/2017-07-10/
nvd.nist.gov/vuln/detail/CVE-2017-1000093

Code Behaviors & Features

Detect and mitigate CVE-2017-1000093 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →