CVE-2022-43408

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Stage View Plugin versions 2.26 and earlier

Description The issue arises from the incorrect encoding of the ID of input steps when generating URLs to proceed or abort Pipeline builds, allowing attackers who can configure Pipelines to specify input step IDs. This results in URLs that can bypass the CSRF protection of any target URL in Jenkins.

Recommendations For Jenkins Pipeline: Stage View Plugin versions 2.26 and earlier, update to version 2.27 or later to correctly encode the ID of input steps and prevent bypassing CSRF protection. As a temporary workaround, consider restricting access to the input step functionality until the update is applied.

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-838CWE-352

Related Identifiers

CVE-2022-43408

GHSA-G975-F26H-93G8

RHSA-2023:0560

RHSA-2023:0777

RHSA-2023:1064

RHSA-2023:3198

Affected Products

Jenkins

Jenkins Pipeline: Stage View Plugin

CVE-2022-43408

Weakness Enumeration

Related Identifiers

Affected Products

References · 8