CVE-2022-20612 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=2.320 <2.330 || >=0 <2.319.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00217 pctl0.44334

Details

Cross-Site Request Forgery in Jenkins Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to trigger build of job without parameters. Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.

Metadata

Created: 2022-01-21T23:37:57Z
Modified: 2023-10-27T19:01:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-p92q-7fhh-mq35/GHSA-p92q-7fhh-mq35.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-p92q-7fhh-mq35
Finding: F007
Auto approve: 1