GHSA-5g87-44p9-v4j7

Опубликовано: 12 июл. 2023

Источник: github

Github: Прошло ревью

CVSS3: 5.4

Описание

Jenkins Benchmark Evaluator Plugin missing permission check

Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, .csv, and .ycsb files on the Jenkins controller file system.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Ссылки

Пакеты

Наименование

io.jenkins.plugins:benchmark-evaluator

maven

Затронутые версииВерсия исправления

<= 1.0.1

Отсутствует

EPSS

Процентиль: 31%

0.00117

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2023-37963

Дефекты

CWE-862

Связанные уязвимости

CVE-2023-37963

CVSS3: 5.4

nvd

больше 2 лет назад

A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.

EPSS

Процентиль: 31%

0.00117

Низкий

5.4 Medium

CVSS3

CVE ID

CVE-2023-37963

Дефекты

CWE-862