Jenkins Report Portal Plugin missing permissions check

Jenkins Report Portal Plugin 0.5 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified bearer token authentication.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Published by the National Vulnerability Database Apr 12, 2023

Published to the GitHub Advisory Database Apr 12, 2023

Reviewed Apr 12, 2023

Last updated Apr 21, 2023

Provide feedback