CVE-2022-41238 : A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows un

A missing permission check in Jenkins DotCi Plugin 2.40.00 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository for attacker-specified commits.

Published 2022-09-21 16:15:11

Updated 2023-11-01 20:24:46

Source Jenkins Project

View at NVD, CVE.org

Products affected by CVE-2022-41238

Jenkins » Dotci » For Jenkins
Versions up to, including, (<=) 2.40.00
cpe:2.3:a:jenkins:dotci:*:*:*:*:*:jenkins:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-41238

EPSS FAQ

0.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 31 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41238

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-41238

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Assigned by:
- jenkinsci-cert@googlegroups.com (Primary)
- nvd@nist.gov (Primary)

References for CVE-2022-41238

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2867

Jenkins Security Advisory 2022-09-21
Vendor Advisory

Jump to

Vulnerability Details : CVE-2022-41238

Products affected by CVE-2022-41238

Exploit prediction scoring system (EPSS) score for CVE-2022-41238

CVSS scores for CVE-2022-41238

CWE ids for CVE-2022-41238

References for CVE-2022-41238