GHSA-933x-5g7r-773q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-933x-5g7r-773q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-933x-5g7r-773q/GHSA-933x-5g7r-773q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-933x-5g7r-773q
- Aliases
-
- CVE-2022-41236
- Published
- 2022-09-22T00:00:28Z
- Modified
- 2023-11-08T04:10:28.138049Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- CSRF vulnerability in Jenkins Security Inspector plugin
- Details
-
Security Inspector Plugin 117.v6eecc36919c2 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to replace the generated report stored in a per-session cache and displayed to authorized users at the
…/reportURL with a report based on attacker-specified report generation options. This could create confusion in users of the plugin who are expecting to see a different result. A security hardening since Jenkins 2.287 and LTS 2.277.2 prevents exploitation of this vulnerability for the Single user, multiple jobs report however, there is no fix at this time. Other report types are still affected. - Database specific
{ "nvd_published_at": "2022-09-21T16:15:00Z", "github_reviewed_at": "2022-12-06T16:03:37Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-352" ] }- References
Affected packages
Maven / org.jenkins-ci.plugins:security-inspector
Package
- Name
- org.jenkins-ci.plugins:security-inspector
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/security-inspector