CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
21.5%
com.sonyericsson.jenkins.plugins.bfa: build-failure-analyzer is vulnerable to Missing Authorization. The vulnerability is caused by a missing permission check in test HTTP endpoint doTestConnection
as well as the doTestConnection
HTTP POST endpoint. This can allow attackers with Overall/Read permission to connect to an attacker-specified hostname and port using an attacker-specified username and password. Also as doTestConnection
HTTP endpoint does not require POST requests, it can result in a cross-site request forgery (CSRF) vulnerability.