6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000389

GHSA ID

GHSA-gw8g-hh47-q4gw

EPSS Score

0.20451%

CWE

CWE-79

Published

5/14/2022

Updated

1/30/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-1000389

CVE-2017-1000389:
Cross-Site Request Forgery (CSRF) vulnerability in Jenkins global-build-stats plugin

Some URLs provided by Jenkins global-build-stats plugin version 1.4 and earlier returned a JSON response that contained request parameters. These responses had the Content Type: text/html, so could have been interpreted as HTML by clients, resulting in a potential reflected cross-site scripting vulnerability. Additionally, some URLs provided by global-build-stats plugin that modify data did not require POST requests to be sent, resulting in a potential cross-site request forgery vulnerability.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000389

GHSA ID

GHSA-gw8g-hh47-q4gw

EPSS Score

0.20451%

CWE

CWE-79

Published

5/14/2022

Updated

1/30/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:global-build-stats	maven	<= 1.4	1.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The advisory identifies two issues: 1) JSON responses with text/html content type, and 2) data-modifying endpoints accepting GET requests. Based on Jenkins plugin patterns:

Data modification endpoints would use do[Action] methods (e.g., doDeleteStatistic) mapped to URLs. The lack of @RequirePOST annotation would make them CSRF-vulnerable
JSON endpoints returning text/html would be getter methods (e.g., getApi) that set incorrect content type
Confidence is medium as we infer standard Jenkins patterns without seeing actual patch diffs, but align with advisory specifics

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Som* URLs provi*** *y J*nkins *lo**l-*uil*-st*ts plu*in v*rsion *.* *n* **rli*r r*turn** * JSON r*spons* t**t *ont*in** r*qu*st p*r*m*t*rs. T**s* r*spons*s *** t** *ont*nt Typ*: t*xt/*tml, so *oul* **v* ***n int*rpr*t** *s *TML *y *li*nts, r*sultin*

Reasoning

T** **visory i**nti*i*s two issu*s: *) JSON r*spons*s wit* t*xt/*tml *ont*nt typ*, *n* *) **t*-mo*i*yin* *n*points ****ptin* **T r*qu*sts. **s** on J*nkins plu*in p*tt*rns: *. **t* mo*i*i**tion *n*points woul* us* *o[**tion] m*t*o*s (*.*., *o**l*t*S

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-1000389: Cross-Site Request Forgery (CSRF) vulnerability in Jenkins global-build-stats plugin

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2017-1000389:
Cross-Site Request Forgery (CSRF) vulnerability in Jenkins global-build-stats plugin

Vulnerability Intelligence
Miggo AI