Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oN3BmLWg1OHItbXY5M84AAtEA
CSRF vulnerability in Jenkins XebiaLabs XL Release Plugin allow capturing credentials
XebiaLabs XL Release Plugin 22.0.0 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
XebiaLabs XL Release Plugin 22.0.1 requires POST requests and Overall/Administer permission for the affected form validation methods.
Permalink: https://github.com/advisories/GHSA-h7pf-h58r-mv93JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oN3BmLWg1OHItbXY5M84AAtEA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-h7pf-h58r-mv93, CVE-2022-34780
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-34780
- https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2773%20(2)
- https://github.com/advisories/GHSA-h7pf-h58r-mv93
Affected Packages
maven:com.xebialabs.ci:xlrelease-plugin
Affected Version Ranges: <= 22.0.0Fixed in: 22.0.1