VulnerableCode Package Details - pkg:maven/org.jenkins-ci.plugins/github-branch-source@1.9

Search for packages

Vulnerability	Summary	Fixed by
VCID-a1y1-cecp-cbbd Aliases: CVE-2017-1000087 GHSA-6jp2-hggx-8j7p	Information Exposure GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use. This functionality did not check permissions, allowing any user with `Overall/Read` permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.	2.2.0-alpha-1 Affected by 0 other vulnerabilities. 2.2.5 Affected by 0 other vulnerabilities.
VCID-ee1e-58sz-5bak Aliases: CVE-2017-1000091 GHSA-w66r-f5gg-gqwm	Cross-Site Request Forgery (CSRF) GitHub Branch Source Plugin connects to a user-specified GitHub API URL as part of form validation and completion. This functionality improperly checked permissions, allowing any user with `Overall/Read` access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery.	2.2.0-alpha-1 Affected by 0 other vulnerabilities. 2.2.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-a1y1-cecp-cbbd
Aliases:
CVE-2017-1000087
GHSA-6jp2-hggx-8j7p

Information Exposure GitHub Branch Source provides a list of applicable credential IDs to allow users configuring a job to select the one they'd like to use. This functionality did not check permissions, allowing any user with `Overall/Read` permission to get a list of valid credentials IDs. Those could be used as part of an attack to capture the credentials using another vulnerability.

2.2.0-alpha-1
Affected by 0 other vulnerabilities.

2.2.5
Affected by 0 other vulnerabilities.

VCID-ee1e-58sz-5bak
Aliases:
CVE-2017-1000091
GHSA-w66r-f5gg-gqwm

Cross-Site Request Forgery (CSRF) GitHub Branch Source Plugin connects to a user-specified GitHub API URL as part of form validation and completion. This functionality improperly checked permissions, allowing any user with `Overall/Read` access to Jenkins to connect to any web server and send credentials with a known ID, thereby possibly capturing them. Additionally, this functionality did not require POST requests be used, thereby allowing the above to be performed without direct access to Jenkins via Cross-Site Request Forgery.

2.2.0-alpha-1
Affected by 0 other vulnerabilities.

2.2.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:37:10.367504+00:00	GitLab Importer	Affected by	VCID-ee1e-58sz-5bak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/github-branch-source/CVE-2017-1000091.yml	38.6.0
2026-06-02T04:37:09.695400+00:00	GitLab Importer	Affected by	VCID-a1y1-cecp-cbbd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/github-branch-source/CVE-2017-1000087.yml	38.6.0

2026-06-02T04:37:10.367504+00:00

GitLab Importer

Affected by

VCID-ee1e-58sz-5bak

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/github-branch-source/CVE-2017-1000091.yml

38.6.0

2026-06-02T04:37:09.695400+00:00

GitLab Importer

Affected by

VCID-a1y1-cecp-cbbd

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins/github-branch-source/CVE-2017-1000087.yml

38.6.0

Next non-vulnerable version	2.2.0-alpha-1
Latest non-vulnerable version	1967.1969.v205fd594c821
Risk	3.1