GHSA-m82g-fv7v-h64m

Suggest an improvement
Source
https://github.com/advisories/GHSA-m82g-fv7v-h64m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-m82g-fv7v-h64m/GHSA-m82g-fv7v-h64m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m82g-fv7v-h64m
Aliases
Published
2022-12-12T09:30:35Z
Modified
2024-02-16T08:18:26.938301Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Jenkins Sonar Gerrit Plugin vulnerable to Cross-Site Request Forgery
Details

A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

References

Affected packages

Maven / org.jenkins-ci.plugins:sonar-gerrit

Package

Name
org.jenkins-ci.plugins:sonar-gerrit
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/sonar-gerrit

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
378.vf4646d4df087

Affected versions

1.*

1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7.6
1.0.8

2.*

2.0
2.1
2.2.1
2.3
2.4.3
2.4.4
2.4.5
2.4.6

348.*

348.v33583c89a_a_b_4

350.*

350.v9b_a_6a_3e3196e

351.*

351.vb_8d85df69260

353.*

353.v20e9cff705d1

361.*

361.v3f45367a_71da_

362.*

362.v43a_b_52a_b_23a_5

363.*

363.v95109f2b_9d0d

366.*

366.vdb_8f26406e04

368.*

368.vb_a_b_e20a_b_6a_b_d

369.*

369.vc4ff5c47910b_

370.*

370.vf2cf40f43d41

371.*

371.v7f34ee88b_960

375.*

375.v1b_e7dfc25ed0

376.*

376.v67dc39df1298

377.*

377.v8f3808963dc5

Database specific

{
    "last_known_affected_version_range": "<= 377.v8f3808963dc5"
}