CVE-2019-16550 — Cross-site request forgery (CSRF) vulnerability in Jenkins Maven Release Plugin

Description

A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.

How to fix CVE-2019-16550

To remediate CVE-2019-16550, upgrade the affected package to a fixed version below.

—upgrade to 0.16.2 or later

Is CVE-2019-16550 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.16.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16550
PATCHgithub.com/jenkinsci/m2release-plugin
WEBgithub.com/jenkinsci/m2release-plugin/commit/1e4d6fee2eab16e7a396b6d3d5f10a87e5c29cc2
WEBjenkins.io/security/advisory/2019-12-17/#SECURITY-1681