GHSA-j7pg-863g-22p6

Suggest an improvement
Source
https://github.com/advisories/GHSA-j7pg-863g-22p6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-j7pg-863g-22p6/GHSA-j7pg-863g-22p6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j7pg-863g-22p6
Aliases
Published
2022-10-19T19:00:18Z
Modified
2024-02-16T08:14:54.018969Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Webhook endpoint discloses job names to unauthorized users in Jenkins Mercurial Plugin
Details

Mercurial Plugin provides a webhook endpoint at /mercurial/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET requests and without authentication.

In Mercurial Plugin 1251.vab121f184902 and earlier, the output of the webhook endpoint will provide information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Mercurial repository URLs to obtain information about the existence of jobs configured with this Mercurial repository.

Mercurial Plugin 1260.vdfb_723cdcc81 does not provide the names of jobs for which polling is triggered unless the user has the appropriate Item/Read permission.

Database specific
{
    "nvd_published_at": "2022-10-19T16:15:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-19T20:27:28Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:mercurial

Package

Name
org.jenkins-ci.plugins:mercurial
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/mercurial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1260.vdfb_723cdcc81

Affected versions

1.*

1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44
1.45
1.46
1.47
1.48-beta-1
1.48
1.49
1.50-beta-1
1.50-beta-2
1.50
1.50.1
1.51-beta-1
1.51-beta-2
1.51-beta-3
1.51
1.52
1.53
1.54
1.55
1.56
1.57
1.58-beta-1
1.58
1.59
1.60
1.61

2.*

2.0-alpha-1
2.0-alpha-4
2.0-beta-1
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.8.1
2.9
2.9.1
2.10
2.10.1
2.11
2.12
2.13
2.14
2.15
2.15.1
2.15.2
2.16
2.16.1
2.16.2

1251.*

1251.va_b_121f184902

Database specific

{
    "last_known_affected_version_range": "< 1260.vdfb"
}