GHSA-j33r-cgm6-pv48

Опубликовано: 01 июл. 2022

Источник: github

Github: Прошло ревью

CVSS3: 7.1

Описание

Missing Authorization in Jenkins Recipe Plugin

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

Additionally, the plugin allows users to export the full configuration of jobs as part of a recipe, granting access to job configuration XML data to every user with Item/Read permission. The encrypted values of secrets stored in the job configuration are not redacted, as they would be by the config.xml API for users without Item/Configure permission.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:recipe

maven

Затронутые версииВерсия исправления

<= 1.2

Отсутствует

EPSS

Процентиль: 71%

0.00668

Низкий

7.1 High

CVSS3

CVE ID

CVE-2022-34794

Дефекты

CWE-862

Связанные уязвимости

CVE-2022-34794

CVSS3: 6.5

nvd

больше 3 лет назад

Missing permission checks in Jenkins Recipe Plugin 1.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML.

EPSS

Процентиль: 71%

0.00668

Низкий

7.1 High

CVSS3

CVE ID

CVE-2022-34794

Дефекты

CWE-862