Lucene search

GitHub Advisory DatabaseGHSA-GX2J-5VC3-3794

HistoryMay 16, 2023 - 9:30 p.m.

Jenkins Code Dx Plugin cross-site request forgery vulnerability

2023-05-1621:30:22

CWE-352

GitHub Advisory Database

github.com

jenkins

code dx plugin

csrf

vulnerability

http endpoints

permission checks

cross-site request forgery

post requests

4.0.0

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.0004 Low

EPSS

Percentile

13.1%

JSON

Jenkins Code Dx Plugin 3.1.0 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Code Dx Plugin 4.0.0 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchcodedx

CPENameOperatorVersion
org.jenkins-ci.plugins:codedxlt4.0.0

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:codedx	lt	4.0.0

References

github.com/advisories/GHSA-gx2j-5vc3-3794

github.com/jenkinsci/codedx-plugin/commit/0214f30488ea8481f01e4b14a861e13d75bebb8b

nvd.nist.gov/vuln/detail/CVE-2023-2195

www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3118

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.0004 Low

EPSS

Percentile

13.1%

JSON

Related for GHSA-GX2J-5VC3-3794