GHSA-78fg-pvgg-6g3r

Source

https://github.com/advisories/GHSA-78fg-pvgg-6g3r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-78fg-pvgg-6g3r/GHSA-78fg-pvgg-6g3r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-78fg-pvgg-6g3r

Aliases

CVE-2022-36909

Published

2022-07-28T00:00:42Z

Modified

2023-11-08T04:10:05.388877Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Missing permission check in Jenkins OpenShift Deployer Plugin

Details

OpenShift Deployer Plugin 1.2.0 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system and to upload a SSH key file from the Jenkins controller file system to an attacker-specified URL.

Database specific

{
    "nvd_published_at": "2022-07-27T15:15:00Z",
    "github_reviewed_at": "2022-08-10T22:41:55Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:openshift-deployer

Package

Name: org.jenkins-ci.plugins:openshift-deployer; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/openshift-deployer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.2.0

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.1

1.2.0