GHSA-h656-vmrg-7rr6

Опубликовано: 12 июл. 2023

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

Jenkins Test Results Aggregator Plugin missing permission check

Jenkins Test Results Aggregator Plugin 1.2.13 and earlier does not perform a permission check in an HTTP endpoint implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password.

Additionally, this HTTP endpoint does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:test-results-aggregator

maven

Затронутые версииВерсия исправления

<= 1.2.13

Отсутствует

EPSS

Процентиль: 17%

0.00052

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-37956

Дефекты

CWE-862

Связанные уязвимости

CVE-2023-37956

CVSS3: 6.5

nvd

больше 2 лет назад

A missing permission check in Jenkins Test Results Aggregator Plugin 1.2.13 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

EPSS

Процентиль: 17%

0.00052

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2023-37956

Дефекты

CWE-862