Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wOTJxLTdmaGgtbXEzNc0img
Cross-Site Request Forgery in Jenkins
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to trigger build of job without parameters.
Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.
Permalink: https://github.com/advisories/GHSA-p92q-7fhh-mq35JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wOTJxLTdmaGgtbXEzNc0img
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 4 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Identifiers: GHSA-p92q-7fhh-mq35, CVE-2022-20612
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-20612
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558
- http://www.openwall.com/lists/oss-security/2022/01/12/6
- https://www.jenkins.io/changelog-stable/#v2.319.2
- https://www.jenkins.io/changelog/#v2.330
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/jenkinsci/jenkins/commit/b5c3764681f3b4ce83d0e78f6a9327925640d57e
- https://github.com/advisories/GHSA-p92q-7fhh-mq35
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.320, < 2.330, < 2.319.2Fixed in: 2.330, 2.319.2