CVE-2022-43407

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Input Step Plugin versions 451.vf1a a 4f405289 and earlier Pipeline: Declarative Plugin versions 2.2114.v2654ca 721309 and earlier

Description The issue arises from the Jenkins Pipeline: Input Step Plugin not restricting or sanitizing the optionally specified ID of the input step. This ID is used for URLs that process user interactions for the given input step and is not correctly encoded, allowing attackers to bypass the CSRF protection of any target URL in Jenkins when the input step is interacted with.

Recommendations For Jenkins Pipeline: Input Step Plugin versions 451.vf1a a 4f405289 and earlier, update to version 456.vd8a 957db 5b e9 or later to limit the characters that can be used for the ID of input steps in Pipelines. For Pipeline: Declarative Plugin versions 2.2114.v2654ca 721309 and earlier, update to a version later than 2.2114.v2654ca 721309 to ensure compatibility with the new restriction on legal values for input step IDs. Administrators are advised to update both Pipeline: Input Step Plugin and Pipeline: Declarative Plugin at the same time, ideally while no Pipelines are running.