Lucene search

GoogleOSV:GHSA-2WWH-QGH8-W9XW

HistorySep 20, 2023 - 6:30 p.m.

Jenkins Build Failure Analyzer Plugin Cross-Site Request Forgery vulnerability

2023-09-2018:30:21

Google

osv.dev

jenkins

build failure analyzer

csrf

vulnerability

http endpoint

attackers

deletion

software

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

21.8%

JSON

Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not require POST requests for an HTTP endpoint, resulting in cross-site request forgery (CSRF) vulnerabilities.

This vulnerability allows attackers to delete Failure Causes.

Build Failure Analyzer Plugin 2.4.2 requires POST requests for the affected HTTP endpoint.

References

www.openwall.com/lists/oss-security/2023/09/20/5

github.com/jenkinsci/build-failure-analyzer-plugin/commit/a261229a67c52927d531c48ec0a59bf138ebd4d0

nvd.nist.gov/vuln/detail/CVE-2023-43502

www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3239

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

21.8%

JSON

Related for OSV:GHSA-2WWH-QGH8-W9XW