# Title: Jenkins 1.626 - Cross Site Request Forgery / Code Execution # Date: 27.08.15 # Vendor: jenkins-ci.org # Affected versions: => 1.626 (current) # Software link: http://mirrors.jenkins-ci.org/war/latest/jenkins.war # Tested on: win64 # Author: Smash_ # Contact: smash [at] devilteam.pl Cross site request forgery vulnerability in Jenkins 1.626 allows remote attackers to hjiack the authentication of users for most request. Using CSRF it is able to change specific settings or even execute code on os as shown below. Examples: