Lucene search

GitHub Advisory DatabaseGHSA-46P2-FWQG-3H6M

HistoryMay 13, 2022 - 1:48 a.m.

Incorrect Authorization in Jenkins Git Plugin

2022-05-1301:48:31

CWE-863

GitHub Advisory Database

github.com

jenkins

git plugin

vulnerability

authorization

gitstatus.java

network access

nodes

users

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

36.8%

JSON

An improper authorization vulnerability exists in Jenkins Git Plugin version 3.7.0 and earlier in GitStatus.java that allows an attacker with network access to obtain a list of nodes and users.

Affected configurations

Vulners

Node

org.jenkins-ci.pluginsgitRange≤3.7.0

VendorProductVersionCPE
org.jenkins-ci.pluginsgit*cpe:2.3:a:org.jenkins-ci.plugins:git:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.jenkins-ci.plugins	git	*	cpe:2.3:a:org.jenkins-ci.plugins:git::::::::

References

github.com/advisories/GHSA-46p2-fwqg-3h6m

github.com/jenkinsci/git-plugin/commit/a3d3a7eb7f75bfe97a0291e3b6d074aafafa86c9

jenkins.io/security/advisory/2018-02-26/#SECURITY-723

nvd.nist.gov/vuln/detail/CVE-2018-1000110

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

36.8%

JSON

Related for GHSA-46P2-FWQG-3H6M