CVE-2022-34818 – de.einsundeins.jenkins.plugins.failedjobdeactivator:failedjobdeactivator

Package

Manager: maven
Name: de.einsundeins.jenkins.plugins.failedjobdeactivator:failedjobdeactivator
Vulnerable Version: >=0 <=1.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00668 pctl0.70411

Details

Jenkins Failed Job Deactivator Plugin Missing Authorization vulnerability Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints. This allows attackers with Overall/Read permission to disable jobs. Additionally, these endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. As of publication of this advisory, there is no fix.

Metadata

Created: 2022-07-01T00:01:08Z
Modified: 2023-10-27T20:12:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-hcjr-6jq3-392p/GHSA-hcjr-6jq3-392p.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-hcjr-6jq3-392p
Finding: F039
Auto approve: 1