Lockable Resources Plugin 2.8 and earlier does not require POST requests for several HTTP endpoints, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to reserve, unreserve, unlock, and reset resources. Lockable Resources Plugin 2.9 requires POST requests for the affected HTTP endpoints.

Affected Packages

Maven org.6wind.jenkins:lockable-resources

Affected versions: 0 (fixed in 2.9)

Related CVEs

CVE-2020-2281

Key Information

GHSA ID

GHSA-rvww-w62m-hch8

Published

May 24, 2022 5:29 PM

Last Modified

January 5, 2023 9:26 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.6wind.jenkins:lockable-resources

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.