CVE-2022-20613

CWE-352 — Cross-Site Request Forgery (CSRF)7 documents7 sources

Severity

4.3MEDIUM

EPSS

0.2%

top 60.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Mailer Jenkins Project Jenkins Mailer Plugin Oracle Communications Cloud Native Core Automated Test Suite

Timeline

PublishedJan 12

Latest updateApr 15

Description

A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶Mavenorg.jenkins-ci.plugins:mailer391.ve4a38c1bcf4b — 408.vd726a+1

▶CVEListV5jenkins_project/jenkins_mailer_pluginunspecified — 391.ve4a_38c1b_cf4b_

▶NVDjenkins/mailer< 1.34.2+1

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Cross-Site Request Forgery in Jenkins Mailer Plugin↗2022-01-13

▶

GHSA

Cross-Site Request Forgery in Jenkins Mailer Plugin↗2022-01-13

▶

CVEList

CVE-2022-20613: A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391↗2022-01-12

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Automated Test Suite (Jenkins Mailer) — CVE-2022-20613↗2022-04-15

▶

Jenkins

Jenkins Security Advisory 2022-01-12↗2022-01-12

▶

Red Hat

jenkins-2-plugins/mailer: form validation method does not require POST requests which could lead to CSRF↗2022-01-12

▶