Jenkins Sumologic Publisher Plugin missing permission check

Jenkins Sumologic Publisher Plugin 2.2.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Published by the National Vulnerability Database Jul 12, 2023

Published to the GitHub Advisory Database Jul 12, 2023

Reviewed Jul 12, 2023

Last updated Nov 7, 2023

Provide feedback