Description
Poll SCM Plugin was not requiring requests to its API be sent via POST, thereby opening itself to Cross-Site Request Forgery attacks. This allowed attackers to initiate polling of projects with a known name. While Jenkins in general does not consider polling to be a protection-worthy action as it's similar to cache invalidation, the plugin specifically adds a permission to be able to use this functionality, and this issue undermines that permission.
Remediation
References
https://jenkins.io/security/advisory/2017-07-10/
Related Vulnerabilities
CVE-2016-2164 Vulnerability in maven package org.apache.openmeetings:openmeetings-server
CVE-2023-25158 Vulnerability in maven package org.geotools.jdbc:gt-jdbc-postgis
CVE-2012-5886 Vulnerability in maven package org.apache.tomcat:catalina
CVE-2010-5312 Vulnerability in npm package jquery-ui
CVE-2018-1000610 Vulnerability in maven package io.jenkins:configuration-as-code