CVE-2022-41232

2022-09-2116:15:10

CWE-352

[email protected]

web.nvd.nist.gov

348

cve-2022-41232

csrf

jenkins

build-publisher plugin

api endpoint

security vulnerability

nvd

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.1%

JSON

A cross-site request forgery (CSRF) vulnerability in Jenkins Build-Publisher Plugin 1.22 and earlier allows attackers to replace any config.xml file on the Jenkins controller file system with an empty file by providing a crafted file name to an API endpoint.

Affected configurations

NVD

Node

jenkinsbuild-publisherRange≤1.22jenkins

CPENameOperatorVersion
jenkins:build-publisherjenkins build-publisherle1.22

CPE	Name	Operator	Version
jenkins:build-publisher	jenkins build-publisher	le	1.22

CNA Affected

[
  {
    "product": "Jenkins Build-Publisher Plugin",
    "vendor": "Jenkins project",
    "versions": [
      {
        "lessThanOrEqual": "1.22",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 1.22",
        "versionType": "custom"
      }
    ]
  }
]