CVE-2017-1000389: Cross-Site Request Forgery (CSRF) vulnerability in Jenkins global-build-stats plugin
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.20451%
CWE
Published
5/14/2022
Updated
1/30/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:global-build-stats | maven | <= 1.4 | 1.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The advisory identifies two issues: 1) JSON responses with text/html content type, and 2) data-modifying endpoints accepting GET requests. Based on Jenkins plugin patterns:
- Data modification endpoints would use do[Action] methods (e.g., doDeleteStatistic) mapped to URLs. The lack of @RequirePOST annotation would make them CSRF-vulnerable
- JSON endpoints returning text/html would be getter methods (e.g., getApi) that set incorrect content type
- Confidence is medium as we infer standard Jenkins patterns without seeing actual patch diffs, but align with advisory specifics