CVE-2021-22513 – org.jenkins-ci.plugins:hp-application-automation-tools-plugin

Package

Manager: maven
Name: org.jenkins-ci.plugins:hp-application-automation-tools-plugin
Vulnerable Version: >=0 <7.2.3-beta

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00139 pctl0.34569

Details

Missing permission checks in Micro Focus Application Automation Tools Plugin Micro Focus Application Automation Tools Plugin 6.7 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to attacker-specified URLs using attacker-specified username and password. Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Micro Focus Application Automation Tools Plugin 6.8 requires POST requests and Overall/Administer permission for the affected form validation methods.

Metadata

Created: 2022-05-24T17:46:58Z
Modified: 2022-12-13T19:14:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7qp2-rgxr-29q4/GHSA-7qp2-rgxr-29q4.json
CWE IDs: ["CWE-862"]
Alternative ID: GHSA-7qp2-rgxr-29q4
Finding: F039
Auto approve: 1