GHSA-xqqr-mq8x-22qx

Suggest an improvement
Source
https://github.com/advisories/GHSA-xqqr-mq8x-22qx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xqqr-mq8x-22qx/GHSA-xqqr-mq8x-22qx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xqqr-mq8x-22qx
Aliases
Published
2022-05-24T16:47:43Z
Modified
2024-02-16T08:21:02.215802Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Jenkins JX Resources Plugin missing permission check
Details

Jenkins jx-resources Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified Kubernetes server and obtain information about an attacker-specified namespace. Doing so might also leak service account credentials used for the connection. Additionally, it allowed attackers to obtain the value of any attacker-specified environment variable for the Jenkins controller process.

Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.

This form validation method now requires POST requests and Overall/Administer permissions.

References

Affected packages

Maven / org.jenkins-ci.plugins:jx-resources

Package

Name
org.jenkins-ci.plugins:jx-resources
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/jx-resources

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.37

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.4
1.0.5
1.0.6
1.0.14
1.0.15
1.0.24
1.0.25
1.0.26
1.0.27
1.0.29
1.0.30
1.0.31
1.0.32
1.0.33
1.0.34
1.0.35
1.0.36

Database specific

{
    "last_known_affected_version_range": "<= 1.0.36"
}