Lucene search

GitHub Advisory DatabaseGHSA-73V5-W6FG-2M44

HistoryOct 19, 2022 - 7:00 p.m.

Jenkins Tuleap Git Branch Source Plugin allows unauthenticated attackers to trigger Tuleap projects whose configured repo matches attacker-specified value

2022-10-1919:00:22

CWE-862

GitHub Advisory Database

github.com

jenkins

tuleap

git branch source plugin

unauthenticated

permission check

vulnerability

webhook

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

30.5%

JSON

A missing permission check in Jenkins Tuleap Git Branch Source Plugin 3.2.4 and earlier allows unauthenticated attackers to trigger Tuleap projects whose configured repository matches the attacker-specified value. Tuleap Git Branch Source Plugin 3.2.5 requires a token to access the webhook endpoint.

Affected configurations

Vulners

Node

jenkinstuleap_git_branch_sourceRange≤3.2.4jenkins

CPENameOperatorVersion
org.jenkins-ci.plugins:tuleap-git-branch-sourcele3.2.4

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:tuleap-git-branch-source	le	3.2.4

References

www.openwall.com/lists/oss-security/2022/10/19/3

github.com/advisories/GHSA-73v5-w6fg-2m44

nvd.nist.gov/vuln/detail/CVE-2022-43421

www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2852

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

30.5%

JSON

Related for GHSA-73V5-W6FG-2M44