Vulnerability Details : CVE-2022-43408
Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2022-43408
- cpe:2.3:a:jenkins:pipeline\:stage_view:*:*:*:*:*:jenkins:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-43408
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 36 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-43408
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2022-43408
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
-
The product uses or specifies an encoding when generating output to a downstream component, but the specified encoding is not the same as the encoding that is expected by the downstream component.Assigned by: jenkinsci-cert@googlegroups.com (Primary)
References for CVE-2022-43408
-
http://www.openwall.com/lists/oss-security/2022/10/19/3
oss-security - Multiple vulnerabilities in Jenkins pluginsMailing List;Third Party Advisory
-
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828
Jenkins Security Advisory 2022-10-19Vendor Advisory
Jump to