Lucene search

GitHub Advisory DatabaseGHSA-GH5W-GFFH-68PR

HistoryApr 12, 2023 - 6:30 p.m.

Jenkins Lucene-Search Plugin vulnerable to Cross-Site Request Forgery

2023-04-1218:30:36

CWE-352

GitHub Advisory Database

github.com

jenkins

lucene-search

plugin

cross-site request forgery

vulnerable

http endpoint

reindex

database

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

41.8%

JSON

Jenkins Lucene-Search Plugin 387.v938a_ecb_f7fe9 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to reindex the database.

Affected configurations

Vulners

Node

search-guardsearch_guardRange≤387.v938a

CPENameOperatorVersion
org.jenkins-ci.plugins:lucene-searchle387.v938a

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:lucene-search	le	387.v938a

References

www.openwall.com/lists/oss-security/2023/04/13/3

github.com/advisories/GHSA-gh5w-gffh-68pr

github.com/jenkinsci/lucene-search-plugin/commit/828f79fedbe3da08b17937a85b98b5d7f499a8dd

github.com/jenkinsci/lucene-search-plugin/commit/ffd691642b8dda63b55cfc7e73993336554dbcb2

nvd.nist.gov/vuln/detail/CVE-2023-30529

www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3013

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

41.8%

JSON

Related for GHSA-GH5W-GFFH-68PR