logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-43407 org.jenkins-ci.plugins:pipeline-input-step

Package

Manager: maven
Name: org.jenkins-ci.plugins:pipeline-input-step
Vulnerable Version: >=0 <456.vd8a_957db_5b_e9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00013 pctl0.01607

Details

CSRF protection for any URL can be bypassed in Jenkins Pipeline: Input Step Plugin Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the `input` step. This ID is used for the URLs that process user interactions for the given `input` step (proceed or abort) and is not correctly encoded. This allows attackers able to configure Pipelines to have Jenkins build URLs from `input` step IDs that would bypass the CSRF protection of any target URL in Jenkins when the `input` step is interacted with. Pipeline: Input Step Plugin 456.vd8a_957db_5b_e9 limits the characters that can be used for the ID of `input` steps in Pipelines to alphanumeric characters and URL-safe punctuation. Pipelines with `input` steps having IDs with prohibited characters will fail with an error. This includes Pipelines that have already been started but not finished before Jenkins is restarted to apply this update. [Pipeline: Declarative Plugin](https://plugins.jenkins.io/pipeline-model-definition/) provides an `input` directive that is internally using the `input` step, and specifies a non-default ID if not user-defined. Pipeline: Declarative Plugin 2.2114.v2654ca_721309 and earlier may specify values incompatible with this new restriction on legal values: `input` directives in a `stage` use the stage name (which may include prohibited characters) and `input` directives in a `matrix` will use a value generated from the matrix axis values (which always includes prohibited characters). Administrators are advised to update Pipeline: Input Step Plugin and Pipeline: Declarative Plugin at the same time, ideally while no Pipelines are running.

Metadata

Created: 2022-10-19T19:00:22Z
Modified: 2022-12-16T17:10:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-g66m-fqxf-3w35/GHSA-g66m-fqxf-3w35.json
CWE IDs: ["CWE-352", "CWE-838"]
Alternative ID: GHSA-g66m-fqxf-3w35
Finding: F115
Auto approve: 1