CVE-2021-22512 – org.jenkins-ci.plugins:hp-application-automation-tools-plugin

Package

Manager: maven
Name: org.jenkins-ci.plugins:hp-application-automation-tools-plugin
Vulnerable Version: >=0 <6.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00117 pctl0.31221

Details

CSRF vulnerability in Jenkins Micro Focus Application Automation Tools Plugin Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password. Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Micro Focus Application Automation Tools Plugin 6.8 requires POST requests and Overall/Administer permission for the affected form validation methods.

Metadata

Created: 2022-05-24T17:46:58Z
Modified: 2022-12-13T19:00:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mwg2-3xpv-5v28/GHSA-mwg2-3xpv-5v28.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-mwg2-3xpv-5v28
Finding: F007
Auto approve: 1