CVE Vulnerability

CVE-2022-43408

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828 Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/10/19/3 Mailing List Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:jenkins:stage_view:*:*:*:*:*:jenkins:*:*
Information

Published : 2022-10-19 04:15

Updated : 2022-10-21 06:52

NVD link : CVE-2022-43408

Mitre link : CVE-2022-43408

Products Affected
No products.
CWE
CWE-838

Inappropriate Encoding for Output Context