GHSA-2phq-ghf8-6586

Source

https://github.com/advisories/GHSA-2phq-ghf8-6586

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-2phq-ghf8-6586/GHSA-2phq-ghf8-6586.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2phq-ghf8-6586

Aliases

CVE-2022-25193

Published

2022-02-16T00:01:24Z

Modified

2023-11-08T04:08:43.189138Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Jenkins Snow Commander Plugin prior to 2.0 vulnerable to Missing Authorization

Details

Snow Commander Plugin 1.10 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Database specific

{
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "github_reviewed_at": "2022-07-15T18:26:21Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ]
}

References

Affected packages

Maven / io.jenkins.plugins:embotics-vcommander

Package

Name: io.jenkins.plugins:embotics-vcommander; View open source insights on deps.dev
Purl: pkg:maven/io.jenkins.plugins/embotics-vcommander

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0

Affected versions

1.*

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10