Lucene search

GitHub Advisory DatabaseGHSA-FJH2-QHFH-RVFC

HistoryMay 13, 2022 - 1:50 a.m.

Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin CSRF vulnerability and missing permission checks

2022-05-1301:50:55

CWE-200

GitHub Advisory Database

github.com

jenkins

maven

artifact

choicelistprovider

nexus

plugin

csrf

vulnerability

missing permission checks

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

22.0%

JSON

An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.

Affected configurations

Vulners

Node

org.jenkins-ci.pluginsmaven-artifact-choicelistproviderRange≤1.3.1

VendorProductVersionCPE
org.jenkins-ci.pluginsmaven-artifact-choicelistprovider*cpe:2.3:a:org.jenkins-ci.plugins:maven-artifact-choicelistprovider:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.jenkins-ci.plugins	maven-artifact-choicelistprovider	*	cpe:2.3:a:org.jenkins-ci.plugins:maven-artifact-choicelistprovider::::::::

References

github.com/advisories/GHSA-fjh2-qhfh-rvfc

github.com/jenkinsci/maven-artifact-choicelistprovider-plugin/commit/2d2e20cc00a29abf435afcad12cfc9ddadf76d89

github.com/jenkinsci/maven-artifact-choicelistprovider-plugin/commit/5a3a3ff1e7416623c531601620305640ef4c8e28

github.com/jenkinsci/maven-artifact-choicelistprovider-plugin/commit/99d97c028fbc0672b729d052d4bfc4dfa9674f23

jenkins.io/security/advisory/2018-07-30/#SECURITY-1022

nvd.nist.gov/vuln/detail/CVE-2018-1999030

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

6.1

Confidence

High

EPSS

0.001

Percentile

22.0%

JSON

Related for GHSA-FJH2-QHFH-RVFC