CVE-2018-1000013
Description
Jenkins Release Plugin 2.9 and earlier did not require form submissions to be submitted via POST, resulting in a CSRF vulnerability allowing attackers to trigger release builds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Release Plugin ≤2.9 lacks POST requirement for form submissions, enabling CSRF attacks that trigger unauthorized release builds.
Vulnerability
Jenkins Release Plugin version 2.9 and earlier did not require form submissions to be submitted via HTTP POST, allowing Cross-Site Request Forgery (CSRF) attacks. The vulnerability exists in the form action endpoint used to trigger release builds [1].
Exploitation
An attacker can craft a malicious web page or link that, when visited by an authenticated Jenkins user, submits a forged request to the Release Plugin's form action URL. Since the plugin accepted GET requests (or other methods) without CSRF protection, the build is triggered without the victim's consent [2].
Impact
Successful exploitation allows an attacker to trigger release builds on the Jenkins instance. This can lead to unauthorized releases of software, potentially causing supply chain compromise or other downstream harm. The attacker gains the ability to initiate builds with the privileges of the victim user [1].
Mitigation
Jenkins Security Advisory 2018-01-22 states that the fix requires access to the form action URL to use POST only. Users should update the Release Plugin to version 3.0 or later, where this CSRF protection is enforced [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:releaseMaven | < 2.10 | 2.10 |
Affected products
2- Range: <=2.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-j2h6-j34w-g5vpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000013ghsaADVISORY
- www.securityfocus.com/bid/102834ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2018-01-22ghsaWEB
- jenkins.io/security/advisory/2018-01-22/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.