CVE-2022-41238
published 2022-09-21CVE-2022-41238: A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the…
PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.85%
53.8th percentile
A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | anchore_container_image_scanner_plugin | — | — |
| jenkins | apprenda_plugin | — | — |
| jenkins | bigpanda_notifier_plugin | — | — |
| jenkins | bmc_ami_common_configuration_plugin | — | — |
| jenkins | cons3rt_plugin | — | — |
| jenkins | dotci | <= 2.40.00 | — |
| jenkins | dotci_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | lack_of_authentication_mechanism_in_dotci_plugin | — | — |
| jenkins | ns-nd_integration_performance_publisher_plugin | — | — |
| jenkins | rqm_plugin | — | — |
| jenkins | rundeck_plugin | — | — |
| jenkins | scm_httpclient_plugin | — | — |
| jenkins | security_inspector_plugin | — | — |
| jenkins | smalltest_plugin | — | — |
| jenkins | this_could_create_confusion_in_users_of_the_plugin | — | — |
| jenkins | urls_of_jenkins_servers_that_the_plugin | — | — |
| jenkins | view26_test-reporting_plugin | — | — |
| jenkins | walti_plugin | — | — |
| jenkins | wildfly_deployer_plugin | — | — |
| jenkins | worksoft_execution_manager_plugin | — | — |
| jenkins_project | jenkins_dotci_plugin | unspecified – 2.40.00 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Jenkins
Jenkins Security Advisory 2022-09-21
vendor_jenkins·2022-09-21·CVSS 5.4
CVE-2022-41224 [MEDIUM] Jenkins Security Advisory 2022-09-21
Title: Jenkins Security Advisory 2022-09-21
Jenkins Security Advisory 2022-09-21
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Jenkins (core)
Anchore Container Image Scanner
Plugin
Apprenda
Plugin
BigPanda Notifier
Plugin
BMC AMI Common Configuration
Plugin
build-publisher
Plugin
CONS3RT
Plugin
OSV
Lack of authentication mechanism in Jenkins DotCi Plugin webhook
osv·2022-09-22
CVE-2022-41238 [MEDIUM] Lack of authentication mechanism in Jenkins DotCi Plugin webhook
Lack of authentication mechanism in Jenkins DotCi Plugin webhook
DotCi Plugin provides a webhook endpoint at `/githook/` that can be used to trigger builds of the job for a GitHub repository.
In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.
This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.
This plugin has been suspended.
GHSA
Lack of authentication mechanism in Jenkins DotCi Plugin webhook
ghsa·2022-09-22
CVE-2022-41238 [MEDIUM] CWE-862 Lack of authentication mechanism in Jenkins DotCi Plugin webhook
Lack of authentication mechanism in Jenkins DotCi Plugin webhook
DotCi Plugin provides a webhook endpoint at `/githook/` that can be used to trigger builds of the job for a GitHub repository.
In DotCi Plugin 2.40.00 and earlier, this endpoint can be accessed without authentication.
This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.
This plugin has been suspended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-09-21
Published