Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS02eDYzLWhyeGctMmhqeM4AAtsP

External Monitor Job Type Plugin does not require POST requests for an HTTP endpoint

Jenkins External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create runs of an external job.

External Monitor Job Type Plugin 192.ve979ca_8b_3ccd requires POST requests for the affected HTTP endpoint.

Permalink: https://github.com/advisories/GHSA-6x63-hrxg-2hjx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02eDYzLWhyeGctMmhqeM4AAtsP
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Identifiers: GHSA-6x63-hrxg-2hjx, CVE-2022-36886
References:

• https://nvd.nist.gov/vuln/detail/CVE-2022-36886
• https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2762
• http://www.openwall.com/lists/oss-security/2022/07/27/1
• https://github.com/jenkinsci/external-monitor-job-plugin/commit/e979ca8b3ccd8cf2b098533e1529d104b6bfd7da
• https://github.com/advisories/GHSA-6x63-hrxg-2hjx

Repository: https://github.com/jenkinsci/external-monitor-job-plugin
Blast Radius: 1.0

Affected Packages