Advisories for Maven/Org.jenkins-Ci.plugins/Convert-to-Pipeline package

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966/CVE-2023-28677, this can result in the execution of unsandboxed Pipeline scripts.

Jenkins Convert To Pipeline Plugin 1.0 and earlier uses basic string concatenation to convert Freestyle projects' Build Environment, Build Steps, and Post-build Actions to the equivalent Pipeline step invocations. This allows attackers able to configure Freestyle projects to prepare a crafted configuration that injects Pipeline script code into the (unsandboxed) Pipeline resulting from a conversion by Convert To Pipeline Plugin. If an administrator converts the Freestyle project to a Pipeline, …