GHSA-hcjr-6jq3-392p

Source

https://github.com/advisories/GHSA-hcjr-6jq3-392p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-hcjr-6jq3-392p/GHSA-hcjr-6jq3-392p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hcjr-6jq3-392p

Aliases

CVE-2022-34818

Published

2022-07-01T00:01:08Z

Modified

2024-02-16T07:53:14.100899Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Jenkins Failed Job Deactivator Plugin Missing Authorization vulnerability

Details

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints.

This allows attackers with Overall/Read permission to disable jobs.

Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2022-07-12T15:28:33Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "nvd_published_at": "2022-06-30T18:15:00Z"
}

References

Affected packages

Maven / de.einsundeins.jenkins.plugins.failedjobdeactivator:failedJobDeactivator

Package

Name: de.einsundeins.jenkins.plugins.failedjobdeactivator:failedJobDeactivator; View open source insights on deps.dev
Purl: pkg:maven/de.einsundeins.jenkins.plugins.failedjobdeactivator/failedJobDeactivator

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.2.1

Affected versions

1.*

1.0

1.1

1.1.1

1.1.2

1.2

1.2.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-hcjr-6jq3-392p/GHSA-hcjr-6jq3-392p.json"