Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qODk2LWo3MnctY3IzMs4AAttD
Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints
Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.
These vulnerabilities allow attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system configurations.
Job Configuration History Plugin 1156.v536a_97b_8d649 requires POST requests for the affected HTTP endpoints.
Permalink: https://github.com/advisories/GHSA-j896-j72w-cr32JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qODk2LWo3MnctY3IzMs4AAttD
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Identifiers: GHSA-j896-j72w-cr32, CVE-2022-36887
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-36887
- https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2766
- http://www.openwall.com/lists/oss-security/2022/07/27/1
- https://github.com/jenkinsci/job-config-history-plugin/commit/536a97b8d649b3114f5db24ea32a7c63188a35c6
- https://github.com/advisories/GHSA-j896-j72w-cr32
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:jobConfigHistory
Affected Version Ranges: <= 1155.v28aFixed in: 1156.v536a_97b_8d649