Jenkins Project Jenkins Chef Sinatra Plugin vulnerabilities

CVE-2022-25208 [HIGH] CWE-862 CVE-2022-25208: A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Ove A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers with Overall/Read permission to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.

CVE-2022-25207 [HIGH] CWE-352 CVE-2022-25207: A cross-site request forgery (CSRF) vulnerability in Jenkins Chef Sinatra Plugin 1.20 and earlier al A cross-site request forgery (CSRF) vulnerability in Jenkins Chef Sinatra Plugin 1.20 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-controlled URL and have it parse an XML response.

CVE-2022-25209 [HIGH] CWE-611 CVE-2022-25209: Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML extern Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

CVE-2019-1003086 [MEDIUM] CWE-352 CVE-2019-1003086: A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfigur A cross-site request forgery vulnerability in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers to initiate a connection to an attacker-specified server.

CVE-2019-1003087 [MEDIUM] CWE-862 CVE-2019-1003087: A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.Descriptor A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.