CVE-2022-20614

CWE-862Missing AuthorizationCWE-732Incorrect Permission AssignmentCWE-3466 documents6 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 71.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Jenkins MailerJenkins Project Jenkins Mailer PluginOracle Communications Cloud Native Core Automated Test Suite
Timeline
PublishedJan 12
Latest updateJan 13

Description

A missing permission check in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

Mavenorg.jenkins-ci.plugins:mailer391.ve4a38c1bcf4b408.vd726a+1
CVEListV5jenkins_project/jenkins_mailer_pluginunspecified391.ve4a_38c1b_cf4b_
NVDjenkins/mailer< 1.34.2+1

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
Incorrect Permission Assignment for Critical Resource in Jenkins Mailer Plugin2022-01-13
OSV
Incorrect Permission Assignment for Critical Resource in Jenkins Mailer Plugin2022-01-13
CVEList
CVE-2022-20614: A missing permission check in Jenkins Mailer Plugin 3912022-01-12

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2022-01-122022-01-12
Red Hat
jenkins-2-plugins/mailer: does not perform a permission check in a method implementing form validation2022-01-12