An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oN3BmLWg1OHItbXY5M84AAtEA
CSRF vulnerability in Jenkins XebiaLabs XL Release Plugin allow capturing credentials
XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
XebiaLabs XL Release Plugin 22.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.Permalink: https://github.com/advisories/GHSA-h7pf-h58r-mv93
Source: GitHub Advisory Database
Published: over 1 year ago
Updated: 10 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-h7pf-h58r-mv93, CVE-2022-34780
Fixed in: 22.0.1