High severity8.8NVD Advisory· Published Oct 5, 2017· Updated May 13, 2026
CVE-2017-1000093
CVE-2017-1000093
Description
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:pollscmMaven | < 1.3.1 | 1.3.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-fv3c-6cw7-2qcqghsaADVISORY
- jenkins.io/security/advisory/2017-07-10/nvdVendor Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-1000093ghsaADVISORY
- jenkins.io/security/advisory/2017-07-10ghsaWEB
News mentions
0No linked articles in our index yet.