CVE-2022-41230Missing Authorization in Project Jenkins Build-publisher Plugin

CWE-862Missing AuthorizationCWE-863Incorrect Authorization5 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.3%
top 51.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Build-publisher PluginJenkins Build-publisher
Timeline
PublishedSep 21
Latest updateSep 22

Description

Jenkins Build-Publisher Plugin 1.22 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to obtain names and URLs of Jenkins servers that the plugin is configured to publish builds to, as well as builds pending for publication to those Jenkins servers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_build-publisher_pluginunspecified1.22

🔴Vulnerability Details

3
OSV
Missing permission check in Jenkins build-publisher Plugin2022-09-22
GHSA
Missing permission check in Jenkins build-publisher Plugin2022-09-22
CVEList
CVE-2022-41230: Jenkins Build-Publisher Plugin 12022-09-21

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-09-212022-09-21
CVE-2022-41230 — Missing Authorization | cvebase