Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1oN3BmLWg1OHItbXY5M84AAtEA

Moderate EPSS: 0.00084% (0.25431 Percentile) EPSS:
Permalink JSON

CSRF vulnerability in Jenkins XebiaLabs XL Release Plugin allow capturing credentials

Affected Packages Affected Versions Fixed Versions
maven:com.xebialabs.ci:xlrelease-plugin <= 22.0.0 22.0.1

XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

XebiaLabs XL Release Plugin 22.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.

References:

Identifiers

GHSA-h7pf-h58r-mv93

CVE-2022-34780

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00084

EPSS Percentile: 0.25431

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 3 years ago

Updated

almost 3 years ago

API

JSON