Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-44243

Script management vulnerable to Cross-Site Request Forgery attacks

    Details

    • Similar Issues:

      Description

       

      SECURITY-334
      None of the script management functionality in Scriptler requires POST access, and is therefore vulnerable to CSRF exploits even with CSRF protection enabled in the Jenkins global security configuration.

        Attachments

          Activity

          Hide
          ioannis Ioannis Moutsatsos added a comment -

          Dominik Bartholdi thank you for working to close several of the issues:

          • -JENKINS-44242- Persistent cross-site scripting
          • -JENKINS-44243- Script management vulnerable to Cross-Site Request Forgery attacks
          • -JENKINS-44245- Scriptler Plugin allows any Scriptler script to be executed as build step

          Any idea when will these be released into a new version of Scriptler? I think a lot of people are excited to get a new version that clears the security concerns including us that support the Active-Choices plugin, a major benefactor of the Scriptler functionality. Best regards, Ioannis

          Show
          ioannis Ioannis Moutsatsos added a comment - Dominik Bartholdi thank you for working to close several of the issues: - JENKINS-44242 - Persistent cross-site scripting - JENKINS-44243 - Script management vulnerable to Cross-Site Request Forgery attacks - JENKINS-44245 - Scriptler Plugin allows any Scriptler script to be executed as build step Any idea when will these be released into a new version of Scriptler? I think a lot of people are excited to get a new version that clears the security concerns including us that support the Active-Choices plugin, a major benefactor of the Scriptler functionality. Best regards, Ioannis

            People

            • Assignee:
              imod Dominik Bartholdi
              Reporter:
              imod Dominik Bartholdi
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: