GHSA-phr4-94xx-259m

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-phr4-94xx-259m/GHSA-phr4-94xx-259m.json

Aliases

CVE-2022-41232

Published

2022-09-22T00:00:28Z

Modified

2023-03-18T05:54:47.072875Z

Details

A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint. There is currently no workaround or patch as this plugin has been suspended.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-41232
https://github.com/jenkins-infra/update-center2/pull/644
https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2139

Affected packages

Maven / org.jenkins-ci.plugins:build-publisher

org.jenkins-ci.plugins:build-publisher

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0

Affected versions

1.*

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.19

1.20

1.21

1.22

Database specific

{
    "last_known_affected_version_range": "<= 1.22"
}