Role-based Authorization Strategy Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed malicious users to add administrator role to any user, or to remove the authorization configuration, preventing legitimate access to Jenkins.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
jenkins role-based authorization strategy |