First published: Tue May 16 2023(Updated: )
Jenkins Email Extension Plugin 2.96 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This allows attackers to make another user stop watching an attacker-specified job. Email Extension Plugin 2.96.1 requires POST requests for the affected HTTP endpoint.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Email Extension | <=2.96 | |
maven/org.jenkins-ci.plugins:email-ext | <2.96.1 | 2.96.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-32980 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Email Extension Plugin.
CVE-2023-32980 allows attackers to make another user stop watching an attacker-specified job.
CVE-2023-32980 has a severity level of medium.
To fix CVE-2023-32980, you should update your Jenkins Email Extension Plugin to version 2.96.1 or later.
You can find more information about CVE-2023-32980 in the Jenkins Security Advisory and the Red Hat Errata.