Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
Published: 2026-06-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery vulnerability (CWE‑352) in the Jenkins Contrast Continuous Application Security Plugin allows an attacker to force Jenkins to connect to a URL chosen by the attacker, using credentials supplied by the attacker. This could enable the attacker to obtain access tokens, privileged API keys, or other secrets, and to initiate unauthorized connections to internal or external services without the user’s explicit consent. The impact is the potential for credential theft and illicit remote activity originating from the Jenkins server, thereby compromising the confidentiality and integrity of the infrastructure it services.

Affected Systems

The flaw exists in the Jenkins Contrast Continuous Application Security Plugin version 3.11 and earlier. The plugin is distributed by the Jenkins Project and is used to integrate Contrast’s application security analysis into Jenkins jobs.

Risk and Exploitability

The CVSS score is 5.4, EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not currently known to be widely exploited. The attack requires a user to be authenticated to the Jenkins instance; once CSRF is achieved, the attacker can supply arbitrary connection parameters. The risk is considered moderate owing to the CVSS rating, though the potential for credential compromise and unauthorized remote connections remains significant.

Generated by OpenCVE AI on June 24, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Contrast Continuous Application Security Plugin version 3.12 or later, if available.
  • Disable or uninstall the Contrast plugin when it is not required for your workflow.
  • Enable Jenkins’ CSRF protection by configuring the global configuration under “Configure Global Security.”
  • Restrict outbound network traffic from the Jenkins server to trusted hosts using firewall rules or network segmentation.

Generated by OpenCVE AI on June 24, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins contrast Continuous Application Security
Jenkins Project
Jenkins Project jenkins Contrast Continuous Application Security Plugin
Vendors & Products Jenkins
Jenkins contrast Continuous Application Security
Jenkins Project
Jenkins Project jenkins Contrast Continuous Application Security Plugin

Wed, 24 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Jenkins Contrast Plugin Allows Arbitrary Remote Connections

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery in Jenkins Contrast Plugin Allows Arbitrary Remote Connections
Weaknesses CWE-352

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers to have Jenkins connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
References

Subscriptions

Jenkins Contrast Continuous Application Security
Jenkins Project Jenkins Contrast Continuous Application Security Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T15:12:29.222Z

Reserved: 2026-06-24T08:41:44.358Z

Link: CVE-2026-57298

cve-icon Vulnrichment

Updated: 2026-06-24T15:09:09.120Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:41:00Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)