Skip to main content

Jenkins Gitee Plugin CVE-2026-57292

| EUVDEUVD-2026-38773 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-24 jenkins GHSA-w794-rwp2-jc9m
5.4
CVSS 3.1 · Vendor: jenkins
Share

Severity by source

Vendor (jenkins) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.6 MEDIUM

CSRF inherently requires victim browser interaction (UI:R, not UI:N); PR:L reflects the required authenticated Jenkins session on the victim side.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (jenkins).

CVSS VectorVendor: jenkins

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 24, 2026 - 16:23 vuln.today
CVSS changed
Jun 24, 2026 - 16:22 NVD
5.4 (None) 5.4 (MEDIUM)
CVE Published
Jun 24, 2026 - 13:20 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A cross-site request forgery (CSRF) vulnerability in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method.

AnalysisAI

Cross-site request forgery in Jenkins Gitee Plugin 1288.v18b_deb_c9069b_ and earlier allows network-accessible attackers to force a Jenkins instance to initiate connections to attacker-controlled URLs, using credential IDs previously obtained through a separate method. The CVSS vector confirms a low-privileged authenticated attacker posture (PR:L), meaning the victim must hold an active Jenkins session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate Jenkins credential IDs via separate method
Delivery
Craft CSRF payload targeting Gitee Plugin endpoint
Exploit
Deliver malicious link to authenticated Jenkins user
Execution
User's browser submits forged request
Persist
Jenkins connects to attacker-controlled URL with stolen credential IDs
Impact
Attacker captures credentials from server logs

Vulnerability AssessmentAI

Exploitation Exploitation requires two prerequisites to be satisfied simultaneously: first, the attacker must have already obtained one or more valid Jenkins credential IDs through a separate method (enumeration, information disclosure, or insider access) - this is not provided by the CSRF flaw itself; second, an authenticated Jenkins user with at least low-privileged access (PR:L per CVSS) must be induced to visit an attacker-controlled web page or click a crafted link while their Jenkins session is active. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.4 Medium score reflects AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N - however, the UI:N assignment is inconsistent with the CSRF attack class, which by definition requires victim interaction (the victim's authenticated browser must submit the forged request). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has enumerated Jenkins credential IDs - for example, through a separate information-disclosure vulnerability or insider knowledge - crafts a malicious HTML page containing a hidden form that auto-submits a forged Gitee Plugin connection-test request. When an authenticated Jenkins user visits the page, their browser submits the request to Jenkins, which initiates an outbound connection to an attacker-controlled server using the specified credential IDs, potentially exposing the credential material to the attacker's server logs. …
Remediation Patch available per vendor advisory: update the Jenkins Gitee Plugin to the version released in the Jenkins security advisory published 2026-06-24, available at https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3762%20(1). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy