CVE-2022-43421

Name of the Vulnerable Software and Affected Versions Jenkins Tuleap Git Branch Source Plugin versions 3.2.4 and earlier

Description The issue is related to a missing permission check in the Jenkins Tuleap Git Branch Source Plugin, allowing unauthenticated attackers to trigger Tuleap projects. This can be achieved when the configured repository matches the attacker-specified value. The vulnerability is also associated with insufficient authorization procedures when handling the /tuleap-hook/ endpoint, potentially allowing remote attackers to gain unauthorized access to protected information.

Recommendations For Jenkins Tuleap Git Branch Source Plugin versions 3.2.4 and earlier, consider updating to version 3.2.5 or later, which requires a token to access the webhook endpoint, thereby mitigating the risk of unauthorized access. As a temporary workaround, consider restricting access to the /tuleap-hook/ endpoint to minimize the risk of exploitation.