Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02eDYzLWhyeGctMmhqeM4AAtsP
External Monitor Job Type Plugin does not require POST requests for an HTTP endpoint
Jenkins External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to create runs of an external job.
External Monitor Job Type Plugin 192.ve979ca_8b_3ccd requires POST requests for the affected HTTP endpoint.
Permalink: https://github.com/advisories/GHSA-6x63-hrxg-2hjxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02eDYzLWhyeGctMmhqeM4AAtsP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Identifiers: GHSA-6x63-hrxg-2hjx, CVE-2022-36886
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-36886
- https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2762
- http://www.openwall.com/lists/oss-security/2022/07/27/1
- https://github.com/jenkinsci/external-monitor-job-plugin/commit/e979ca8b3ccd8cf2b098533e1529d104b6bfd7da
- https://github.com/advisories/GHSA-6x63-hrxg-2hjx
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:external-monitor-job
Affected Version Ranges: <= 191.v363d0d1efdf8Fixed in: 192.ve979ca_8b_3ccd