GHSA-m82g-fv7v-h64m

Source

https://github.com/advisories/GHSA-m82g-fv7v-h64m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-m82g-fv7v-h64m/GHSA-m82g-fv7v-h64m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m82g-fv7v-h64m

Aliases

CVE-2022-46688

Published

2022-12-12T09:30:35Z

Modified

2024-02-16T08:18:26.938301Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Jenkins Sonar Gerrit Plugin vulnerable to Cross-Site Request Forgery

Details

A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2022-12-12T09:15:00Z",
    "github_reviewed_at": "2022-12-12T22:08:48Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:sonar-gerrit

Package

Name: org.jenkins-ci.plugins:sonar-gerrit; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/sonar-gerrit

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

378.vf4646d4df087

Affected versions

1.*

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7.6

1.0.8

2.*

2.0

2.1

2.2.1

2.3

2.4.3

2.4.4

2.4.5

2.4.6

348.*

348.v33583c89a_a_b_4

350.*

350.v9b_a_6a_3e3196e

351.*

351.vb_8d85df69260

353.*

353.v20e9cff705d1

361.*

361.v3f45367a_71da_

362.*

362.v43a_b_52a_b_23a_5

363.*

363.v95109f2b_9d0d

366.*

366.vdb_8f26406e04

368.*

368.vb_a_b_e20a_b_6a_b_d

369.*

369.vc4ff5c47910b_

370.*

370.vf2cf40f43d41

371.*

371.v7f34ee88b_960

375.*

375.v1b_e7dfc25ed0

376.*

376.v67dc39df1298

377.*

377.v8f3808963dc5

Database specific

last_known_affected_version_range

"<= 377.v8f3808963dc5"