Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qN3BnLTg2M2ctMjJwNs4AAvdT

Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin

Mercurial Plugin provides a webhook endpoint at /mercurial/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET requests and without authentication.

In Mercurial Plugin 1251.va_b_121f184902 and earlier, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Mercurial repository URLs to obtain information about the existence of jobs configured with this Mercurial repository.

Mercurial Plugin 1260.vdfb_723cdcc81 does not provide the names of jobs for which polling is triggered unless the user has the appropriate Item/Read permission.

Permalink: https://github.com/advisories/GHSA-j7pg-863g-22p6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qN3BnLTg2M2ctMjJwNs4AAvdT
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 11 months ago


CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Percentage: 0.00078
EPSS Percentile: 0.34524

Identifiers: GHSA-j7pg-863g-22p6, CVE-2022-43410
References: Repository: https://github.com/jenkinsci/mercurial-plugin
Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:mercurial
Affected Version Ranges: < 1260.vdfb
Fixed in: 1260.vdfb_723cdcc81