GHSA-q564-vvx8-9388

Suggest an improvement
Source
https://github.com/advisories/GHSA-q564-vvx8-9388
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q564-vvx8-9388/GHSA-q564-vvx8-9388.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q564-vvx8-9388
Aliases
Published
2022-05-24T17:29:16Z
Modified
2024-02-16T08:06:36.513973Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
CSRF vulnerability in Jenkins warnings Plugin allows remote code execution
Details

warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code.

warnings Plugin 5.0.2 requires POST requests for the affected form validation method.

This vulnerability was caused by an incomplete fix to SECURITY-1295.

Database specific
{
    "nvd_published_at": "2020-09-23T14:15:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T23:50:41Z"
}
References

Affected packages

Maven / org.jvnet.hudson.plugins:warnings

Package

Name
org.jvnet.hudson.plugins:warnings
View open source insights on deps.dev
Purl
pkg:maven/org.jvnet.hudson.plugins/warnings

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.0.2

Affected versions

1.*

1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25
1.26
1.27
1.28
1.29

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.13
2.14

3.*

3.0
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
3.19
3.20
3.21
3.22
3.23
3.24
3.25
3.26
3.27
3.28

4.*

4.0
4.3
4.4
4.5
4.6
4.7
4.9
4.10
4.11
4.12
4.13
4.14
4.15
4.16
4.17
4.18
4.19
4.20
4.21
4.23
4.25
4.26
4.27
4.28
4.29
4.30
4.31
4.32
4.33
4.35
4.36
4.37
4.38
4.39
4.40
4.41
4.42
4.43
4.44
4.45
4.46
4.47
4.48
4.49
4.50
4.51
4.52
4.53
4.54
4.55
4.56
4.57
4.58
4.59
4.60
4.61
4.62
4.63
4.64
4.65
4.66
4.67
4.68

5.*

5.0.0-beta2
5.0.0-beta3
5.0.0-beta4
5.0.0
5.0.1

Database specific

{
    "last_known_affected_version_range": "<= 5.0.1"
}