Lucene search

GoogleOSV:CVE-2022-41254

HistorySep 21, 2022 - 4:15 p.m.

CVE-2022-41254

2022-09-2116:15:11

Google

osv.dev

jenkins

cons3rt plugin

permission checks

http server

credentials capture

security vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.4%

JSON

Missing permission checks in Jenkins CONS3RT Plugin 1.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

CPENameOperatorVersion
cons3rt-plugineq1.0.0

CPE	Name	Operator	Version
	cons3rt-plugin	eq	1.0.0

References

www.openwall.com/lists/oss-security/2022/09/21/5

www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2751

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.4%

JSON

Related for OSV:CVE-2022-41254