CVE-2018-1000418 – org.jvnet.hudson.plugins:hipchat

Package

Manager: maven
Name: org.jvnet.hudson.plugins:hipchat
Vulnerable Version: >=0 <2.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00214 pctl0.43974

Details

Jenkins HipChat Plugin allows credential capture due to incorrect authorization An improper authorization vulnerability exists in Jenkins HipChat Plugin 2.2.0 and earlier in HipChatNotifier.java that allows attackers with Overall/Read access to send test notifications to an attacker-specified HipChat server with attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. As of version 2.2.1, this form validation method requires POST requests and Overall/Administer permissions.

Metadata

Created: 2022-05-13T01:18:46Z
Modified: 2022-11-22T19:47:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w3f7-2qfw-348x/GHSA-w3f7-2qfw-348x.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-w3f7-2qfw-348x
Finding: F006
Auto approve: 1