Lucene search

GitHub Advisory DatabaseGHSA-VGFW-766V-7Q82

HistoryMay 16, 2023 - 6:30 p.m.

Jenkins AppSpider Plugin Cross-Site Request Forgery vulnerability

2023-05-1618:30:16

CWE-352

GitHub Advisory Database

github.com

jenkins

appspider

csrf

vulnerability

http post

json payload

credentials

http

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

38.9%

JSON

A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials.

Affected configurations

Vulners

Node

rapid7appspiderRange≤1.0.15

CPENameOperatorVersion
com.rapid7:jenkinsci-appspider-pluginle1.0.15

CPE	Name	Operator	Version
	com.rapid7:jenkinsci-appspider-plugin	le	1.0.15

References

github.com/advisories/GHSA-vgfw-766v-7q82

nvd.nist.gov/vuln/detail/CVE-2023-32998

www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3121

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

38.9%

JSON

Related for GHSA-VGFW-766V-7Q82