GHSA-x95c-qrqr-2v27

Source

https://github.com/advisories/GHSA-x95c-qrqr-2v27

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-x95c-qrqr-2v27/GHSA-x95c-qrqr-2v27.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x95c-qrqr-2v27

Aliases

CVE-2022-27205

Published

2022-03-16T00:00:43Z

Modified

2023-11-08T04:08:57.128364Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

CSRF vulnerability and missing permission checks in Extended Choice Parameter Plugin allow SSRF

Details

Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not perform a permission check on form validation methods. This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Database specific

{
    "nvd_published_at": "2022-03-15T17:15:00Z",
    "github_reviewed_at": "2022-11-30T20:17:58Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-276",
        "CWE-862"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:extended-choice-parameter

Package

Name: org.jenkins-ci.plugins:extended-choice-parameter; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/extended-choice-parameter

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

346.vd87693c5a

Affected versions

0.*

0.18

0.19

0.20

0.21

0.22

0.23

0.24

0.25

0.26

0.27

0.28

0.30

0.31

0.32

0.33

0.34

0.35

0.36

0.37

0.38

0.39

0.40

0.41

0.42

0.43

0.44

0.45

0.46

0.47

0.48

0.50

0.51

0.52

0.53

0.54

0.55

0.56

0.59

0.61

0.63

0.64

0.65

0.68

0.69

0.70

0.71

0.72

0.74

0.75

0.76

0.78

0.82

0.84

342.*

342.v91c1905a_a_eb_a_

343.*

343.v3a_a_d43ce47dd