CVE-2022-25208

CWE-862Missing Authorization5 documents5 sources
Severity
8.8HIGH
EPSS
0.1%
top 68.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Chef Sinatra PluginJenkins Chef Sinatra
Timeline
PublishedFeb 15
Latest updateFeb 16

Description

A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5jenkins_project/jenkins_chef_sinatra_pluginunspecified1.20

🔴Vulnerability Details

3
OSV
Missing permission checks in Jenkins Chef Sinatra Plugin allow XXE2022-02-16
GHSA
Missing permission checks in Jenkins Chef Sinatra Plugin allow XXE2022-02-16
CVEList
CVE-2022-25208: A missing permission check in Jenkins Chef Sinatra Plugin 12022-02-15

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-02-152022-02-15
CVE-2022-25208 (HIGH CVSS 8.8) | A missing permission check in Jenki | cvebase.io