CVE-2022-36887

CWE-352 — Cross-Site Request Forgery (CSRF)5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 78.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins JOB Configuration History Plugin Jenkins JOB Configuration History

Timeline

PublishedJul 27

Latest updateJul 28

Description

A cross-site request forgery (CSRF) vulnerability in Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier allows attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system configurations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_job_configuration_history_pluginunspecified — 1155.v28a_46a_cc06a_5

▶NVDjenkins/job_configuration_history1155.v28a_46a_cc06a_5

▶Mavenorg.jenkins-ci.plugins:jobConfigHistory< 1156.v536a_97b_8d649

🔴Vulnerability Details

OSV

Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints↗2022-07-28

▶

GHSA

Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints↗2022-07-28

▶

CVEList

CVE-2022-36887: A cross-site request forgery (CSRF) vulnerability in Jenkins Job Configuration History Plugin 1155↗2022-07-27

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-07-27↗2022-07-27

▶