CVE-2022-34781 – com.xebialabs.ci:xlrelease-plugin

Package

Manager: maven
Name: com.xebialabs.ci:xlrelease-plugin
Vulnerable Version: >=0 <22.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00555 pctl0.67127

Details

Missing permission checks in Jenkins XebiaLabs XL Release Plugin allow capturing credentials Missing permission checks in Jenkins XebiaLabs XL Release Plugin 22.0.0 and earlier allow attackers with Overall/Read permission to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. XebiaLabs XL Release Plugin 22.0.1 requires Overall/Administer permission for the affected form validation methods.

Metadata

Created: 2022-07-01T00:01:07Z
Modified: 2022-12-09T14:19:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-2588-cx6w-6vm6/GHSA-2588-cx6w-6vm6.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-2588-cx6w-6vm6
Finding: F039
Auto approve: 1