GHSA-v535-pc6r-77qh

Suggest an improvement
Source
https://github.com/advisories/GHSA-v535-pc6r-77qh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-v535-pc6r-77qh/GHSA-v535-pc6r-77qh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v535-pc6r-77qh
Aliases
  • CVE-2022-45385
Published
2022-11-16T12:00:23Z
Modified
2024-02-16T08:25:03.274765Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin
Details

CloudBees Docker Hub/Registry Notification Plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1 requires a token as a part of webhook URLs, which will act as authentication for the webhook endpoint. As a result, all webhook URLs in the plugin will be different after updating the plugin.

Administrators can set the Java system property org.jenkinsci.plugins.registry.notification.webhook.JSONWebHook.DO_NOT_REQUIRE_API_TOKEN to true to disable this fix.

References

Affected packages

Maven / org.jenkins-ci.plugins:dockerhub-notification

Package

Name
org.jenkins-ci.plugins:dockerhub-notification
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/dockerhub-notification

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6.2.1

Affected versions

1.*

1.0
1.0.1
1.0.2

2.*

2.0
2.1
2.2.0
2.2.1
2.3.0
2.4.0
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.0.1
2.6.1
2.6.2

Database specific

{
    "last_known_affected_version_range": "<= 2.6.2"
}