CVE-2022-43407Cross-Site Request Forgery in Project Jenkins Pipeline Input Step Plugin

CWE-352Cross-Site Request ForgeryCWE-838Inappropriate Encoding for Output Context6 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.0%
top 95.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Pipeline Input Step PluginJenkins Pipeline
Timeline
PublishedOct 19

Description

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_pipeline_input_step_pluginunspecified451.vf1a_a_4f405289
NVDjenkins/pipeline451.vf1a_a_4f405289

🔴Vulnerability Details

3
OSV
CSRF protection for any URL can be bypassed in Jenkins Pipeline: Input Step Plugin2022-10-19
CVEList
CVE-2022-43407: Jenkins Pipeline: Input Step Plugin 4512022-10-19
GHSA
CSRF protection for any URL can be bypassed in Jenkins Pipeline: Input Step Plugin2022-10-19

📋Vendor Advisories

2
Red Hat
jenkins-plugin/pipeline-input-step: CSRF protection for any URL can be bypassed in Pipeline: Input Step Plugin2022-10-19
Jenkins
Jenkins Security Advisory 2022-10-192022-10-19
CVE-2022-43407 — Cross-Site Request Forgery | cvebase