CVE-2022-34813

Name of the Vulnerable Software and Affected Versions Jenkins XPath Configuration Viewer Plugin versions 1.1.1 and earlier

Description A missing permission check in the Jenkins XPath Configuration Viewer Plugin allows attackers with Overall/Read permission to create and delete XPath expressions. The plugin does not perform permission checks in several HTTP endpoints, which also results in a cross-site request forgery (CSRF) vulnerability because these endpoints do not require POST requests.

Recommendations For Jenkins XPath Configuration Viewer Plugin versions 1.1.1 and earlier, as a temporary workaround, consider restricting access to the HTTP endpoints that do not require POST requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.