PT-2022-17145 · Jenkins · Jenkins Dbcharts Plugin+1
Wadeck Follonier
·
Published
2022-02-15
·
Updated
2023-11-03
·
CVE-2022-25206
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins dbCharts Plugin versions 0.5.2 and earlier
Description
A missing check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified database via JDBC using attacker-specified credentials.
Recommendations
For Jenkins dbCharts Plugin versions 0.5.2 and earlier, consider disabling the plugin until a patch is available to prevent attackers from connecting to an attacker-specified database via JDBC. Restrict access to the plugin to minimize the risk of exploitation. Avoid using the plugin with Overall/Read permission until the issue is resolved.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Dbcharts Plugin