CVE-2022-30954

CWE-862 — Missing Authorization6 documents6 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 58.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Blue Ocean Plugin Jenkins Blue Ocean

Timeline

PublishedMay 17

Latest updateMay 18

Description

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_blue_ocean_pluginunspecified — 1.25.3

▶Mavenio.jenkins.blueocean:blueocean-parent< 1.25.4

▶NVDjenkins/blue_ocean1.25.3

🔴Vulnerability Details

OSV

Missing permission check in Jenkins Blue Ocean Plugin↗2022-05-18

▶

GHSA

Missing permission check in Jenkins Blue Ocean Plugin↗2022-05-18

▶

CVEList

CVE-2022-30954: Jenkins Blue Ocean Plugin 1↗2022-05-17

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-05-17↗2022-05-17

▶

Red Hat

plugin: missing permission checks in Blue Ocean Plugin↗2022-05-17

▶