GHSA-wgvx-9rh5-4g4m

Опубликовано: 12 июл. 2023

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Jenkins Benchmark Evaluator Plugin vulnerable to cross-site request forgery

Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, .csv, and .ycsb files on the Jenkins controller file system.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Ссылки

Пакеты

Наименование

io.jenkins.plugins:benchmark-evaluator

maven

Затронутые версииВерсия исправления

<= 1.0.1

Отсутствует

EPSS

Процентиль: 44%

0.00216

Низкий

8.8 High

CVSS3

CVE ID

CVE-2023-37962

Дефекты

CWE-352

Связанные уязвимости

CVE-2023-37962

CVSS3: 8.8

nvd

больше 2 лет назад

A cross-site request forgery (CSRF) vulnerability in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers to connect to an attacker-specified URL and to check for the existence of directories, `.csv`, and `.ycsb` files on the Jenkins controller file system.

EPSS

Процентиль: 44%

0.00216

Низкий

8.8 High

CVSS3

CVE ID

CVE-2023-37962

Дефекты

CWE-352