Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-whf8-3h58-2w9f

GitHub Security Advisory

Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins controller by applying AST transforming annotations such as `@Grab` to source code elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.

Affected Packages

Maven io.jenkins.plugins:warnings-ng
Affected versions: 0 (last affected: 2.1.1)

Related CVEs

CVE-2019-1003008

Key Information

GHSA ID
GHSA-whf8-3h58-2w9f
Published
May 13, 2022 1:31 AM
Last Modified
October 25, 2023 11:03 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
io.jenkins.plugins:warnings-ng
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.