CVE-2022-43408 — Cross-Site Request Forgery in Jenkins Pipeline

CWE-352 — Cross-Site Request Forgery CWE-838 — Inappropriate Encoding for Output Context6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 96.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Pipeline Jenkins Project Jenkins Pipeline Stage View Plugin

Timeline

PublishedOct 19

Description

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_pipeline_stage_view_pluginunspecified — 2.26

▶NVDjenkins/pipeline< 2.27

🔴Vulnerability Details

CVEList

CVE-2022-43408: Jenkins Pipeline: Stage View Plugin 2↗2022-10-19

▶

GHSA

Jenkins Pipeline: Stage View Plugin allows CSRF protection bypass of any target URL in Jenkins↗2022-10-19

▶

OSV

Jenkins Pipeline: Stage View Plugin allows CSRF protection bypass of any target URL in Jenkins↗2022-10-19

▶

📋Vendor Advisories

Red Hat

jenkins-plugin/pipeline-stage-view: CSRF protection for any URL can be bypassed in Pipeline: Stage View Plugin↗2022-10-19

▶

Jenkins

Jenkins Security Advisory 2022-10-19↗2022-10-19

▶