GHSA-6x63-hrxg-2hjx

Source

https://github.com/advisories/GHSA-6x63-hrxg-2hjx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-6x63-hrxg-2hjx/GHSA-6x63-hrxg-2hjx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6x63-hrxg-2hjx

Aliases

CVE-2022-36886

Published

2022-07-28T00:00:43Z

Modified

2024-02-16T07:48:04.477375Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

External Monitor Job Type Plugin does not require POST requests for an HTTP endpoint

Details

Jenkins External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to create runs of an external job.

External Monitor Job Type Plugin 192.ve979ca8b3ccd requires POST requests for the affected HTTP endpoint.

Database specific

{
    "nvd_published_at": "2022-07-27T15:15:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-11T15:15:03Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:external-monitor-job

Package

Name: org.jenkins-ci.plugins:external-monitor-job; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/external-monitor-job

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

192.ve979ca_8b_3ccd

Affected versions

1.*

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.7.1

189.*

189.v849257a_0d3a_c

191.*

191.v363d0d1efdf8

Database specific

{
    "last_known_affected_version_range": "<= 191.v363d0d1efdf8"
}