GHSA-wwf6-x2rv-vxqh

Опубликовано: 16 фев. 2022

Источник: github

Github: Прошло ревью

CVSS3: 4.2

Описание

Missing permission checks in Jenkins Checkmarx Plugin allow capturing credentials

Checkmarx Plugin 2022.1.2 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Ссылки

Пакеты

Наименование

com.checkmarx.jenkins:checkmarx

maven

Затронутые версииВерсия исправления

< 2022.1.3

2022.1.3

EPSS

Процентиль: 23%

0.00077

Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2022-25201

Дефекты

CWE-862

Связанные уязвимости

CVE-2022-25201

CVSS3: 6.5

nvd

почти 4 года назад

Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified webserver using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

EPSS

Процентиль: 23%

0.00077

Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2022-25201

Дефекты

CWE-862