CVE-2022-30954

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Blue Ocean Plugin versions 1.25.3 and earlier

Description The issue allows attackers with Overall/Read permission to connect to an attacker-specified HTTP server due to a lack of permission checks in several HTTP endpoints.

Recommendations For Jenkins Blue Ocean Plugin versions 1.25.3 and earlier, update to version 1.25.4 or later, which requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2022-30954

GHSA-5M4Q-X28V-Q6WP

RHSA-2023:0017

RHSA-2023:0560

RHSA-2023:0777

RHSA-2023:3198

RHSA-2023:3610

RHSA-2023:3622

Affected Products

Jenkins

Jenkins Blue Ocean Plugin

CVE-2022-30954

Weakness Enumeration

Related Identifiers

Affected Products

References · 8