VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 31, 2019· Updated Aug 4, 2024

CVE-2019-10359

CVE-2019-10359

Description

A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins.m2release:m2releaseMaven
< 0.15.00.15.0

Affected products

1

Patches

1
2f1117d011e1

[SECURITY-1098]

https://github.com/jenkinsci/m2release-pluginJames NordJul 26, 2019via ghsa
commit
1 file changed · +13 0
  • src/main/java/org/jvnet/hudson/plugins/m2release/M2ReleaseAction.java+13 0 modified
    @@ -55,6 +55,7 @@
 import org.apache.maven.shared.release.versions.VersionParseException;
 import org.kohsuke.stapler.StaplerRequest;
 import org.kohsuke.stapler.StaplerResponse;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 /**
  * The action appears as the link in the side bar that users will click on in
@@ -85,6 +86,7 @@ public M2ReleaseAction(MavenModuleSet project, boolean selectCustomScmCommentPre
 	}
 
 	public List<ParameterDefinition> getParameterDefinitions() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		ParametersDefinitionProperty pdp = project.getProperty(ParametersDefinitionProperty.class);
 		List<ParameterDefinition> pds = Collections.emptyList();
 		if (pdp != null) {
@@ -114,10 +116,12 @@ public String getUrlName() {
 	}
 
 	public boolean isSelectScmCredentials() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		return selectScmCredentials;
 	}
 
 	public boolean isSelectCustomScmCommentPrefix() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		return selectCustomScmCommentPrefix;
 	}
 
@@ -126,6 +130,7 @@ public void setSelectCustomScmCommentPrefix(boolean selectCustomScmCommentPrefix
 	}
 
 	public boolean isSelectAppendHudsonUsername() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		return selectAppendHudsonUsername;
 	}
 
@@ -134,6 +139,7 @@ public void setSelectAppendHudsonUsername(boolean selectAppendHudsonUsername) {
 	}
 
 	public boolean isSelectCustomScmTag() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		return selectCustomScmTag;
 	}
 
@@ -146,6 +152,7 @@ public MavenModule getRootModule() {
 	}
 
 	public String computeReleaseVersion() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		String version = "NaN";
 		final MavenModule rootModule = getRootModule();
 		if (rootModule != null && StringUtils.isNotBlank(rootModule.getVersion())) {
@@ -162,6 +169,7 @@ public String computeReleaseVersion() {
 	}
 
 	public String computeRepoDescription() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		StringBuilder sb = new StringBuilder();
 		sb.append(project.getRootModule().getName());
 		sb.append(':');
@@ -170,6 +178,7 @@ public String computeRepoDescription() {
 	}
 
 	public String computeScmTag() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		// maven default is artifact-version
 		String artifactId = getRootModule() == null ? "M2RELEASE-TAG" : getRootModule().getModuleName().artifactId;
 		StringBuilder sb = new StringBuilder();
@@ -180,6 +189,7 @@ public String computeScmTag() {
 	}
 
 	public String computeNextVersion() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		String version = "NaN-SNAPSHOT";
 		final MavenModule rootModule = getRootModule();
 		if (rootModule != null && StringUtils.isNotBlank(rootModule.getVersion())) {
@@ -195,9 +205,11 @@ public String computeNextVersion() {
 	}
 
 	public boolean isNexusSupportEnabled() {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		return project.getBuildWrappersList().get(M2ReleaseBuildWrapper.class).getDescriptor().isNexusSupport();
 	}
 
+	@RequirePOST
 	public void doSubmit(StaplerRequest req, StaplerResponse resp) throws IOException, ServletException {
 		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		M2ReleaseBuildWrapper m2Wrapper = project.getBuildWrappersList().get(M2ReleaseBuildWrapper.class);
@@ -298,6 +310,7 @@ public void doSubmit(StaplerRequest req, StaplerResponse resp) throws IOExceptio
 	 * Gets the {@link ParameterDefinition} of the given name, if any.
 	 */
 	public ParameterDefinition getParameterDefinition(String name) {
+		M2ReleaseBuildWrapper.checkReleasePermission(project);
 		for (ParameterDefinition pd : getParameterDefinitions()) {
 			if (pd.getName().equals(name)) {
 				return pd;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.