Jenkins < 2.107 / < 2.89.4 (LTS) Server-Side Request Forgery (SSRF) Vulnerability
Medium Nessus Plugin ID 125733
SynopsisThe remote web server hosts a job scheduling and management system that is affected by a server-side request forgery (SSRF) vulnerability.
DescriptionThe remote web server hosts a version of Jenkins that is prior to 2.107, or a version of Jenkins LTS prior to 2.89.4. It is, therefore, affected by a server-side request forgery (SSRF) vulnerability. Insufficient proxy configuration form access control allow attackers with overall/read access to Jenkins to force Jenkins to send a GET request to a specified URL. Some information about the request's response is also available to the attacker.
SolutionUpgrade Jenkins to version 2.107 or later. For Jenkins LTS, upgrade to version 2.89.4 or later