GHSA-6x63-hrxg-2hjx

Suggest an improvement
Source
https://github.com/advisories/GHSA-6x63-hrxg-2hjx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-6x63-hrxg-2hjx/GHSA-6x63-hrxg-2hjx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6x63-hrxg-2hjx
Aliases
  • CVE-2022-36886
Published
2022-07-28T00:00:43Z
Modified
2024-02-16T07:48:04.477375Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
External Monitor Job Type Plugin does not require POST requests for an HTTP endpoint
Details

Jenkins External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create runs of an external job.

External Monitor Job Type Plugin 192.ve979ca8b3ccd requires POST requests for the affected HTTP endpoint.

References

Affected packages

Maven / org.jenkins-ci.plugins:external-monitor-job

Package

Name
org.jenkins-ci.plugins:external-monitor-job
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/external-monitor-job

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
192.ve979ca_8b_3ccd

Affected versions

1.*

1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.7.1

189.*

189.v849257a_0d3a_c

191.*

191.v363d0d1efdf8

Database specific

{
    "last_known_affected_version_range": "<= 191.v363d0d1efdf8"
}