CVE-2024-28158

The Jenkins Subversion Partial Release Manager Plugin 1.0.1 and earlier is vulnerable to cross-site request forgery (CSRF). This flaw occurs because the plugin does not require a confirmation token or other CSRF protection when processing requests to trigger builds [1]. Attackers can exploit this by crafting malicious web pages or links that, when visited by an authenticated Jenkins user with appropriate permissions, cause the user's browser to send an unauthorized request to the Jenkins server [2]. This results in a build being triggered without the user's consent [4]. The impact is that an attacker can force the execution of arbitrary builds, potentially consuming resources or disrupting normal operations. As of the advisory date, no fix is available, and the plugin is listed as an unresolved security issue [2]. Users should consider disabling the plugin if not required until a patch is released.