Miggo Logo

CVE-2013-2034: Jenkins Cross-Site Request Forgery vulnerabilities

6.8

CVSS Score

Basic Information

EPSS Score
0.72072%
Published
5/17/2022
Updated
2/8/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven< 1.509.11.509.1
org.jenkins-ci.main:jenkins-coremaven>= 1.513, < 1.5141.514

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis identifies two key vulnerable functions based on:

  1. CloudBees advisory explicitly names MavenAbstractArtifactRecord.doRedeploy for Maven deployment CSRF and Jenkins.doEval for code execution
  2. Red Hat Bugzilla 958958 description confirms these two endpoints as attack vectors
  3. NVD change history shows these functions in the vulnerability description
  4. These are handler methods for critical administrative actions that lacked CSRF protections in vulnerable versions
  5. Both functions would appear in stack traces when processing malicious CSRF requests to /jenkins/... endpoints

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* r*qu*st *or**ry (*SR*) vuln*r**iliti*s in J*nkins ***or* *.***, LTS ***or* *.***.*, *n* *nt*rpris* *.***.x ***or* *.***.**.* *n* *.***.x ***or* *.***.*.* *llow r*mot* *tt**k*rs to *ij**k t** *ut**nti**tion o* **ministr*tors *or r*

Reasoning

T** *n*lysis i**nti*i*s two k*y vuln*r**l* *un*tions **s** on: *. *lou****s **visory *xpli*itly n*m*s M*v*n**str**t*rti***tR**or*.*oR***ploy *or M*v*n **ploym*nt *SR* *n* J*nkins.*o*v*l *or *o** *x**ution *. R** **t *u*zill* ****** **s*ription *on*i