CVE-2023-28676: Jenkins Convert To Pipeline Plugin vulnerable to cross-site request forgery

April 2, 2023 (updated February 25, 2025)

Convert To Pipeline Plugin 1.0 and earlier does not require POST requests for the HTTP endpoint converting a Freestyle project to Pipeline, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create a Pipeline based on a Freestyle project. Combined with SECURITY-2966/CVE-2023-28677, this can result in the execution of unsandboxed Pipeline scripts.

References

github.com/advisories/GHSA-48g9-h7g5-8pw2
github.com/jenkinsci/octoperf-plugin
nvd.nist.gov/vuln/detail/CVE-2023-28676
www.jenkins.io/security/advisory/2023-03-21/

Detect and mitigate CVE-2023-28676 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →