CVE-2022-36886 – org.jenkins-ci.plugins:external-monitor-job

Package

Manager: maven
Name: org.jenkins-ci.plugins:external-monitor-job
Vulnerable Version: >=0 <192.ve979ca_8b_3ccd

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00071 pctl0.22283

Details

External Monitor Job Type Plugin does not require POST requests for an HTTP endpoint Jenkins External Monitor Job Type Plugin 191.v363d0d1efdf8 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to create runs of an external job. External Monitor Job Type Plugin 192.ve979ca_8b_3ccd requires POST requests for the affected HTTP endpoint.

Metadata

Created: 2022-07-28T00:00:43Z
Modified: 2023-10-27T20:43:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-6x63-hrxg-2hjx/GHSA-6x63-hrxg-2hjx.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-6x63-hrxg-2hjx
Finding: F007
Auto approve: 1