vulnerability
Arch Linux: Cross-site request forgery (CVE-2017-1000356)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Jan 29, 2018 | Jul 11, 2025 | Nov 27, 2025 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Jan 29, 2018
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones:
SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished
SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself
SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site
SECURITY-414: Remove any update site from the Jenkins configuration
SECURITY-415: Change a user’s API token
SECURITY-416: Submit system configuration
SECURITY-417: Submit global security configuration
SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process
SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method
SECURITY-420: Update the node monitor data on all agents
SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin installations and builds are finished
SECURITY-412: Schedule a downgrade of Jenkins to a previously installed version if Jenkins previously upgraded itself
SECURITY-413: Install and (optionally) dynamically load any plugin present on a configured update site
SECURITY-414: Remove any update site from the Jenkins configuration
SECURITY-415: Change a user’s API token
SECURITY-416: Submit system configuration
SECURITY-417: Submit global security configuration
SECURITY-418, SECURITY-420: For Jenkins user database authentication realm: create an account if signup is enabled; or create an account if the victim is an administrator, possibly deleting the existing default admin user in the process
SECURITY-419: Create a new agent, possibly executing arbitrary shell commands on the master node by choosing the appropriate launch method
SECURITY-420: Update the node monitor data on all agents
Solution
arch-linux-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.