Jenkins promoted builds Plugin 3.9 and earlier does not require POST requests for HTTP endpoints implementing promotion (regular, forced, and re-execute), resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to promote builds.

Jenkins promoted builds Plugin 3.9.1 requires POST requests for the affected HTTP endpoints.

A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability.

Affected Packages

Maven org.jenkins-ci.plugins:promoted-builds

Affected versions: 0 (fixed in 3.9.1)

Related CVEs

CVE-2021-21641

Key Information

GHSA ID

GHSA-5cxw-8v65-76vf

Published

May 24, 2022 5:46 PM

Last Modified

October 27, 2023 2:01 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:promoted-builds

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.