GHSA-q564-vvx8-9388

Source

https://github.com/advisories/GHSA-q564-vvx8-9388

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q564-vvx8-9388/GHSA-q564-vvx8-9388.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q564-vvx8-9388

Aliases

CVE-2020-2280

Published

2022-05-24T17:29:16Z

Modified

2024-02-16T08:06:36.513973Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CSRF vulnerability in Jenkins warnings Plugin allows remote code execution

Details

warnings Plugin 5.0.1 and earlier does not require POST requests for a form validation method intended for testing custom warnings parsers, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to execute arbitrary code.

warnings Plugin 5.0.2 requires POST requests for the affected form validation method.

This vulnerability was caused by an incomplete fix to SECURITY-1295.

Database specific

{
    "nvd_published_at": "2020-09-23T14:15:00Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-19T23:50:41Z"
}

References

Affected packages

Maven / org.jvnet.hudson.plugins:warnings

Package

Name: org.jvnet.hudson.plugins:warnings; View open source insights on deps.dev
Purl: pkg:maven/org.jvnet.hudson.plugins/warnings

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.2

Affected versions

1.*

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.19

1.20

1.21

1.22

1.23

1.24

1.25

1.26

1.27

1.28

1.29

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.11

2.12

2.13

2.14

3.*

3.0

3.1

3.2

3.3

3.4

3.5

3.6

3.7

3.8

3.9

3.10

3.11

3.12

3.13

3.14

3.15

3.16

3.17

3.18

3.19

3.20

3.21

3.22

3.23

3.24

3.25

3.26

3.27

3.28

4.*

4.0

4.3

4.4

4.5

4.6

4.7

4.9

4.10

4.11

4.12

4.13

4.14

4.15

4.16

4.17

4.18

4.19

4.20

4.21

4.23

4.25

4.26

4.27

4.28

4.29

4.30

4.31

4.32

4.33

4.35

4.36

4.37

4.38

4.39

4.40

4.41

4.42

4.43

4.44

4.45

4.46

4.47

4.48

4.49

4.50

4.51

4.52

4.53

4.54

4.55

4.56

4.57

4.58

4.59

4.60

4.61

4.62

4.63

4.64

4.65

4.66

4.67

4.68

5.*

5.0.0-beta2

5.0.0-beta3

5.0.0-beta4

5.0.0

5.0.1

Database specific

{
    "last_known_affected_version_range": "<= 5.0.1"
}