CVE-2022-43410

Name of the Vulnerable Software and Affected Versions Jenkins Mercurial Plugin versions 1251.va b 121f184902 and earlier

Description The Mercurial Plugin provides a webhook endpoint at "/mercurial/notifyCommit" that can be used to notify Jenkins of changes to an SCM repository. This endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. It can be accessed with GET requests and without authentication. The output of the webhook endpoint provides information about which jobs were triggered or scheduled for polling, including jobs the user has no permission to access. This allows attackers with knowledge of Mercurial repository URLs to obtain information about the existence of jobs configured with this Mercurial repository.

Recommendations For Jenkins Mercurial Plugin versions 1251.va b 121f184902 and earlier, consider disabling the /mercurial/notifyCommit webhook endpoint until a patch is available. Update to Jenkins Mercurial Plugin version 1260.vdfb 723cdcc81 or later, which does not provide the names of jobs for which polling is triggered unless the user has the appropriate Item/Read permission.