Cross-Site Request Forgery on Develocity API calls

Develocity introduced an API for extracting build data and automating some administrative tasks in version 2022.1. API operations include reading and modifying some data and settings stored in Develocity. This API also supports authentication with a cookie-based session token, but in vulnerable versions, it does not implement CSRF protection.

The vulnerability allows an external, remote attacker to have a logged in user perform inadvertent changes in a Develocity instance if the user visits a malicious location in a browser that is signed in to Develocity at the same time. Possible changes are limited by the permissions of the user and API functionality. Information disclosure is prevented by the same-origin policy in browsers, not allowing data to be read by the attacker.

For an attacker to be able to exploit this vulnerability, the logged in user must have at least one of the following permissions: Administer Develocity, Configure Build Caches, Administer Projects. Users without these permissions are unaffected.