GHSA-g975-f26h-93g8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g975-f26h-93g8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-g975-f26h-93g8/GHSA-g975-f26h-93g8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-g975-f26h-93g8
- Aliases
-
- CVE-2022-43408
- Published
- 2022-10-19T19:00:18Z
- Modified
- 2024-02-16T08:24:10.335327Z
- Severity
-
- 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Jenkins Pipeline: Stage View Plugin allows CSRF protection bypass of any target URL in Jenkins
- Details
-
Jenkins Pipeline: Stage View Plugin provides a visualization of Pipeline builds. It also allows users to interact with
inputsteps from Pipeline: Input Step Plugin.Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of
inputsteps when using it to generate URLs to proceed or abort Pipeline builds.This allows attackers able to configure Pipelines to specify
inputstep IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.Pipeline: Stage View Plugin 2.27 correctly encodes the ID of
inputsteps when using it to generate URLs to proceed or abort Pipeline builds. - Database specific
{ "nvd_published_at": "2022-10-19T16:15:00Z", "cwe_ids": [ "CWE-352", "CWE-838" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-10-19T20:27:47Z" }- References
Affected packages
Maven / org.jenkins-ci.plugins.pipeline-stage-view:pipeline-stage-view
Package
- Name
- org.jenkins-ci.plugins.pipeline-stage-view:pipeline-stage-view
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins.pipeline-stage-view/pipeline-stage-view
Maven / org.jenkins-ci.plugins.pipeline-stage-view:pipeline-stage-view
Package
- Name
- org.jenkins-ci.plugins.pipeline-stage-view:pipeline-stage-view
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins.pipeline-stage-view/pipeline-stage-view