Lucene search

GitHub Advisory DatabaseGHSA-J896-J72W-CR32

HistoryJul 28, 2022 - 12:00 a.m.

Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints

2022-07-2800:00:43

CWE-352

GitHub Advisory Database

github.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

46.6%

JSON

Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

These vulnerabilities allow attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system configurations.

Job Configuration History Plugin 1156.v536a_97b_8d649 requires POST requests for the affected HTTP endpoints.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchjobconfighistory

CPENameOperatorVersion
org.jenkins-ci.plugins:jobconfighistoryle1155.v28a

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:jobconfighistory	le	1155.v28a

References

www.openwall.com/lists/oss-security/2022/07/27/1

github.com/advisories/GHSA-j896-j72w-cr32

github.com/jenkinsci/job-config-history-plugin/commit/536a97b8d649b3114f5db24ea32a7c63188a35c6

nvd.nist.gov/vuln/detail/CVE-2022-36887

www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2766

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

46.6%

JSON

Related for GHSA-J896-J72W-CR32