Miggo Logo

CVE-2017-1000389: Cross-Site Request Forgery (CSRF) vulnerability in Jenkins global-build-stats plugin

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.20451%
Published
5/14/2022
Updated
1/30/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:global-build-statsmaven<= 1.41.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory identifies two issues: 1) JSON responses with text/html content type, and 2) data-modifying endpoints accepting GET requests. Based on Jenkins plugin patterns:

  1. Data modification endpoints would use do[Action] methods (e.g., doDeleteStatistic) mapped to URLs. The lack of @RequirePOST annotation would make them CSRF-vulnerable
  2. JSON endpoints returning text/html would be getter methods (e.g., getApi) that set incorrect content type
  3. Confidence is medium as we infer standard Jenkins patterns without seeing actual patch diffs, but align with advisory specifics

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Som* URLs provi*** *y J*nkins *lo**l-*uil*-st*ts plu*in v*rsion *.* *n* **rli*r r*turn** * JSON r*spons* t**t *ont*in** r*qu*st p*r*m*t*rs. T**s* r*spons*s *** t** *ont*nt Typ*: t*xt/*tml, so *oul* **v* ***n int*rpr*t** *s *TML *y *li*nts, r*sultin*

Reasoning

T** **visory i**nti*i*s two issu*s: *) JSON r*spons*s wit* t*xt/*tml *ont*nt typ*, *n* *) **t*-mo*i*yin* *n*points ****ptin* **T r*qu*sts. **s** on J*nkins plu*in p*tt*rns: *. **t* mo*i*i**tion *n*points woul* us* *o[**tion] m*t*o*s (*.*., *o**l*t*S