CVE-2022-43408: Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort…

medium6.5CVSS 3.1

AVNACLPRNUIRSUCNIHAN

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

Affected

34 ranges· showing 25

Vendor	Product	Version range	Fixed in
jenkins	bmc_ami_devx_code_debug_code_coverage_plugin	—	—
jenkins	bmc_ami_devx_total_test_plugin	—	—
jenkins	bmc_ami_strobe_measurement_task_plugin	—	—
jenkins	code_pipeline_plugin	—	—
jenkins	compuware_topaz_utilities_plugin	—	—
jenkins	contrast_continuous_application_security_plugin	—	—
jenkins	credentials_plugin	—	—
jenkins	custom_checkbox_parameter_plugin	—	—
jenkins	cve-2022-43401_in_script_security_plugin	—	—
jenkins	declarative_plugin	—	—
jenkins	deprecated_groovy_libraries_plugin	—	—
jenkins	fireline_plugin	—	—
jenkins	generic_webhook_trigger_plugin	—	—
jenkins	gitlab_plugin	—	—
jenkins	groovy_libraries_plugin	—	—
jenkins	groovy_plugin	—	—
jenkins	input_step_plugin	—	—
jenkins	job_import_plugin	—	—
jenkins	job_plugin	—	—
jenkins	katalon_plugin	—	—
jenkins	mercurial_plugin	—	—
jenkins	nunit_plugin	—	—
jenkins	pipeline	< 2.27	2.27
jenkins	repo_plugin	—	—
jenkins	s3_explorer_plugin	—	—