Lucene search

GitHub Advisory DatabaseGHSA-W8WG-62WF-62GM

HistoryNov 16, 2022 - 12:00 p.m.

Jenkins Cluster Statistics Plugin Missing Authorization vulnerability

2022-11-1612:00:23

CWE-862

GitHub Advisory Database

github.com

jenkins

cluster statistics

authorization

vulnerability

http

endpoint

attackers

overall

read permission

delete

cross-site request forgery

csrf

fix

advisory

software

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.0%

JSON

Jenkins Cluster Statistics Plugin 0.4.6 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to delete recorded Jenkins Cluster Statistics.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Affected configurations

Vulners

Node

org.zeroturnaround\clusterMatchstats

CPENameOperatorVersion
org.zeroturnaround:cluster-statsle0.4.6

CPE	Name	Operator	Version
	org.zeroturnaround:cluster-stats	le	0.4.6

References

www.openwall.com/lists/oss-security/2022/11/15/4

github.com/advisories/GHSA-w8wg-62wf-62gm

nvd.nist.gov/vuln/detail/CVE-2022-45399

www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2938

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.0%

JSON

Related for GHSA-W8WG-62WF-62GM