This advisory announces multiple vulnerabilities in the Favorite Plugin.
JENKINS-44643 / CVE-2017-1000243
A missing permission check allowed any user to add or remove favorites for any other user.
The API was changed so users cannot change another user’s favorites, only their own.
SECURITY-532 / CVE-2017-1000244
An API used to add and remove a favorite was vulnerable to CSRF, allowing attackers to change the victim’s favorites.
The API now requires requests to be sent via POST, which is subject to the CSRF protection configurable in Jenkins global security configuration.
JENKINS-44643: Favorite Plugin up to and including 2.1.0.
SECURITY-532: Favorite Plugin up to and including 2.2.0.
The Jenkins project would like to thank the reporter for discovering and reporting this vulnerability:
Andres Rodriguez, CloudBees, Inc. for SECURITY-532