Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Published: 2026-06-24
Score: 4.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows an attacker to trigger a background request to an attacker‑specified URL using attacker‑supplied credential identifiers that were obtained through another route, thereby causing Jenkins to send stored credentials to that URL and capture them. The flaw is a CWE‑352 Cross‑Site Request Forgery.

Affected Systems

Jenkins Zowe zDevOps Plugin, versions 1.1.3.50.ve350c9b_450b_1 and all earlier releases are affected; the vulnerability arises in the plugin's handling of credential identifiers and outbound requests.

Risk and Exploitability

The attack vector is a web‑based CSRF request; the attacker must first obtain valid credential IDs via another route and then trigger the plugin to use them in a forged request. The CVSS score of 4.2 indicates a moderate severity; EPSS is not available and the vulnerability is not listed in KEV. The vulnerability can be exploited remotely by a malicious actor with access to the Jenkins instance or who can induce a user to submit a mischievous request.

Generated by OpenCVE AI on June 24, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Jenkins Zowe zDevOps Plugin to the latest available version that fixes the CSRF issue.
  • Enable Jenkins’ crumb issuer or another CSRF protection mechanism for all plugin endpoints if not already active.
  • Restrict the use of credential identifiers and audit for unauthorized or unusual credential access patterns.

Generated by OpenCVE AI on June 24, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Zowe Zdevops Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Zowe Zdevops Plugin

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title CSRF in Jenkins Zowe zDevOps Plugin Enables Credential Theft via Remote Connection

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description A cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
References

Subscriptions

Jenkins Project Jenkins Zowe Zdevops Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:00:29.670Z

Reserved: 2026-06-24T08:41:44.359Z

Link: CVE-2026-57306

cve-icon Vulnrichment

Updated: 2026-06-24T14:00:22.428Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:40:50Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)