GHSA-x8j7-vxh9-p67g

Опубликовано: 19 окт. 2022

Источник: github

Github: Прошло ревью

CVSS3: 4.2

Описание

CSRF vulnerability in Jenkins Katalon Plugin allows capturing credentials

Katalon Plugin 1.0.33 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities.

This vulnerability allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Katalon Plugin 1.0.34 requires POST requests for the affected HTTP endpoints.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:katalon

maven

Затронутые версииВерсия исправления

< 1.0.34

1.0.34

EPSS

Процентиль: 32%

0.00124

Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2022-43418

Дефекты

CWE-352

Связанные уязвимости

CVE-2022-43418

CVSS3: 4.3

nvd

больше 3 лет назад

A cross-site request forgery (CSRF) vulnerability in Jenkins Katalon Plugin 1.0.33 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

EPSS

Процентиль: 32%

0.00124

Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2022-43418

Дефекты

CWE-352