I'm setting up a Jenkins server, and ran across a reported vulnerability, SECURITY-3033, also identified as CVE-2023-37954:
Rebuilder Plugin 320.v5a_0933a_e7d61 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
But from what I know of network security, the choice of GET vs POST for an endpoint shouldn't have any bearing on whether or not there's a CSRF vulnerability. Does this supposed vulnerability even make sense?
Both GET and POST (and in theory any other kind of) requests can trigger CSRF vulnerabilities. It only depends on what the server does with the request. In theory, GET requests are supposed to not be state-changing, but people violate this constantly (such as with log-out links).
However, it is still possible for GET vs. POST to change whether an application is vulnerable. That's because most modern webapp frameworks offer CSRF protection on POST requests, but not on GET requests (since GET requests aren't supposed to be state-changing). Thus, while the root of the problem isn't actually about GET vs. POST - it's simply that the endpoint doesn't have CSRF protection - the reason it doesn't have CSRF protection is likely to be because the framework doesn't expect CSRF protection to be needed on GET requests.
You are correct, there is no difference between GET and POST requests for a CSRF attack. If anything, the POST request could be more "vulnerable" as it is more likely to perform some change on the server (where GET requests should not).
So the conditional "not requiring POST request" results in "CSRF vulnerability" is false.
