Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycGhxLWdoZjgtNjU4Ns0sOQ
Jenkins Snow Commander Plugin prior to 2.0 vulnerable to Missing Authorization
Snow Commander Plugin 1.10 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Permalink: https://github.com/advisories/GHSA-2phq-ghf8-6586JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycGhxLWdoZjgtNjU4Ns0sOQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-2phq-ghf8-6586, CVE-2022-25193
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25193
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2536
- https://github.com/advisories/GHSA-2phq-ghf8-6586
Affected Packages
maven:io.jenkins.plugins:embotics-vcommander
Affected Version Ranges: < 2.0Fixed in: 2.0