GHSA-mwg2-3xpv-5v28
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mwg2-3xpv-5v28
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mwg2-3xpv-5v28/GHSA-mwg2-3xpv-5v28.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mwg2-3xpv-5v28
- Aliases
-
- CVE-2021-22512
- Published
- 2022-05-24T17:46:58Z
- Modified
- 2024-02-16T08:08:40.217801Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- CSRF vulnerability in Jenkins Micro Focus Application Automation Tools Plugin
- Details
-
Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation.
This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password.
Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.
Micro Focus Application Automation Tools Plugin 6.8 requires POST requests and Overall/Administer permission for the affected form validation methods.
- Database specific
{ "nvd_published_at": "2021-04-08T22:15:00Z", "cwe_ids": [ "CWE-352" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-13T19:00:22Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-22512
- https://github.com/jenkinsci/hpe-application-automation-tools-plugin/commit/497a143d9a95e9c937501ca329fe0dae22a0d9cd
- https://github.com/jenkinsci/hpe-application-automation-tools-plugin
- https://www.jenkins.io/security/advisory/2021-04-07/#SECURITY-2132
Affected packages
Maven / org.jenkins-ci.plugins:hp-application-automation-tools-plugin
Package
- Name
- org.jenkins-ci.plugins:hp-application-automation-tools-plugin
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/hp-application-automation-tools-plugin
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.8
Affected versions
1.*
1.0
1.0.2
2.*
2.0.0
2.0.2
3.*
3.0.5
3.0.6
3.0.7
4.*
4.0
4.0.1
4.5.0
5.*
5.0.0-beta-1
5.0
5.1-beta-1
5.1
5.1.0.1-beta
5.1.0.2-beta
5.2
5.2.0.1-beta
5.3
5.3.1-beta
5.3.2-beta
5.3.3-beta
5.3.4-beta
5.4
5.4.1-beta
5.4.2-beta
5.5
5.5.1-beta
5.5.2-beta
5.5.3-beta
5.5.4-beta
5.6
5.6.1
5.6.2
5.6.3-beta
5.6.4-beta
5.6.5-beta
5.7
5.7.1-beta
5.7.2-beta
5.7.3-beta
5.7.4-beta
5.8
5.8.1-beta
5.8.2-beta
5.8.3-beta
5.8.4-beta
5.8.5-beta
5.8.6-beta
5.8.7-beta
5.8.8-beta
5.9
5.9.1-beta
5.9.2-beta
5.9.3-beta
6.*
6.0
6.0.1-beta
6.0.2-beta
6.0.3-beta
6.0.4-beta
6.0.5-beta
6.1
6.1.1-beta
6.1.2-beta
6.1.3-beta
6.1.4-beta
6.2
6.2.1-beta
6.2.2-beta
6.2.3-beta
6.2.4-beta
6.2.5-beta
6.2.6-beta
6.2.7-beta
6.2.8-beta
6.3
6.3.1-beta
6.3.2-beta
6.3.3-beta
6.3.4-beta
6.4
6.4.1-beta
6.4.2-beta
6.4.3-beta
6.5
6.6
6.6.1-beta
6.6.2-beta
6.6.3-beta
6.6.4-beta
6.6.5-beta
6.7
6.7.1-beta