CVE-2022-34175
published 2022-06-23CVE-2022-34175: Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.29%
66.6th percentile
Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | agent_server_parameter_plugin | — | — |
| jenkins | beaker_builder_plugin | — | — |
| jenkins | convertigo_mobile_platform_plugin | — | — |
| jenkins | crx_content_package_deployer_plugin | — | — |
| jenkins | date_parameter_plugin | — | — |
| jenkins | dynamic_extended_choice_parameter_plugin | — | — |
| jenkins | easyqa_plugin | — | — |
| jenkins | embeddable_build_status_plugin | — | — |
| jenkins | filesystem_list_parameter_plugin | — | — |
| jenkins | hidden_parameter_plugin | — | — |
| jenkins | image_tag_parameter_plugin | — | — |
| jenkins | improper_authorization_in_embeddable_build_status_plugin | — | — |
| jenkins | input_step_plugin | — | — |
| jenkins | jenkins | 2.335 – 2.355 | — |
| jenkins | jenkins_ci_server_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | jianliao_notification_plugin | — | — |
| jenkins | junit_plugin | — | — |
| jenkins | maven_metadata_plugin | — | — |
| jenkins | nested_view_plugin | — | — |
| jenkins | ns-nd_integration_performance_publisher_plugin | — | — |
| jenkins | orchestrator_plugin | — | — |
| jenkins | package_version_plugin | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Jenkins: Unauthorized view fragment access
vendor_redhat·2022-06-23·CVSS 7.5
CVE-2022-34175 [HIGH] CWE-863 Jenkins: Unauthorized view fragment access
Jenkins: Unauthorized view fragment access
Jenkins 2.335 through 2.355 (both inclusive) allows attackers in some cases to bypass a protection mechanism, thereby directly accessing some view fragments containing sensitive information, bypassing any permission checks in the corresponding view.
Statement: This vulnerability affects the Jenkins 2.335 through 2.355 (both inclusive). Red Hat products use Jenkins version 2.319 which is NOT affected by this vulnerability.
Package: jenkins (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: jenkins (Red Hat OpenShift Container Platform 4) - Not affected
Jenkins
Jenkins Security Advisory 2022-06-22
vendor_jenkins·2022-06-22·CVSS 5.4
CVE-2017-2601 [MEDIUM] Jenkins Security Advisory 2022-06-22
Title: Jenkins Security Advisory 2022-06-22
Jenkins Security Advisory 2022-06-22
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Agent Server Parameter
Plugin
Beaker builder
Plugin
Convertigo Mobile Platform
Plugin
CRX Content Package Deployer
Plugin
Date Parameter
Plugin
Dynamic
OSV
Unauthorized view fragment access in Jenkins
osv·2022-06-24
CVE-2022-34175 [HIGH] Unauthorized view fragment access in Jenkins
Unauthorized view fragment access in Jenkins
Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content.
Before [SECURITY-534](https://www.jenkins.io/security/advisory/2019-07-17/#SECURITY-534) was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could in some cases directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view.
In Jenkins 2.335 through 2.355 (both inclusive), the protection added for SECURITY-534 is disabled for some views. As a result, attackers could in very limited cases directly access a view fragment containing sensitive information, bypassing any permission checks in the corres
GHSA
Unauthorized view fragment access in Jenkins
ghsa·2022-06-24
CVE-2022-34175 [HIGH] CWE-693 Unauthorized view fragment access in Jenkins
Unauthorized view fragment access in Jenkins
Jenkins uses the Stapler web framework to render its UI views. These views are frequently composed of several view fragments, enabling plugins to extend existing views with more content.
Before [SECURITY-534](https://www.jenkins.io/security/advisory/2019-07-17/#SECURITY-534) was fixed in Jenkins 2.186 and LTS 2.176.2, attackers could in some cases directly access a view fragment containing sensitive information, bypassing any permission checks in the corresponding view.
In Jenkins 2.335 through 2.355 (both inclusive), the protection added for SECURITY-534 is disabled for some views. As a result, attackers could in very limited cases directly access a view fragment containing sensitive information, bypassing any permission checks in the corres
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-06-23
Published