Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zZmo3LTc4aDItdzk4eM4AAtDX
Jenkins XPath Configuration Viewer Plugin Missing Authorization vulnerability
Jenkins XPath Configuration Viewer Plugin 1.1.1 and earlier does not perform permission checks in several HTTP endpoints.
This allows attackers with Overall/Read permission to create and delete XPath expressions.
Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
As of publication of this advisory, there is no fix.
Permalink: https://github.com/advisories/GHSA-3fj7-78h2-w98xJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zZmo3LTc4aDItdzk4eM4AAtDX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 6 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-3fj7-78h2-w98x, CVE-2022-34813
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-34813
- https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2658
- https://github.com/advisories/GHSA-3fj7-78h2-w98x
Affected Packages
maven:org.jenkins-ci.plugins:xpath-config-viewer
Affected Version Ranges: <= 1.1.1No known fixed version