CVE-2022-20614

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Mailer Plugin versions 391.ve4a 38c1b cf4b and earlier Jenkins Mailer Plugin versions prior to 408.vd726a 1130320 and 1.34.2

Description A missing permission check in the Jenkins Mailer Plugin allows attackers with Overall/Read access to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname. This issue also results in a cross-site request forgery (CSRF) vulnerability because the form validation method does not require POST requests.

Recommendations For Jenkins Mailer Plugin versions 391.ve4a 38c1b cf4b and earlier, update to version 408.vd726a 1130320 or 1.34.2 to require POST requests and Overall/Administer permission for the affected form validation method. For Jenkins Mailer Plugin versions prior to 408.vd726a 1130320 and 1.34.2, update to version 408.vd726a 1130320 or 1.34.2 to require POST requests and Overall/Administer permission for the affected form validation method.

Fix

Missing Authorization

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862CWE-732

Related Identifiers

CVE-2022-20614

GHSA-558X-H7RG-997V

Affected Products

Jenkins

Jenkins Mailer Plugin

CVE-2022-20614

Weakness Enumeration

Related Identifiers

Affected Products

References · 10