Lucene search

GitHub_MCVELIST:CVE-2023-30607

HistoryJul 05, 2023 - 5:42 p.m.

CVE-2023-30607 icingaweb2-module-jira template and field configuration are susceptible to CSRF

2023-07-0517:42:54

CWE-352

GitHub_M

www.cve.org

cve-2023-30607

icingaweb2-module-jira

csrf

vulnerability

fixed

atlassian jira

version 1.3.0

version 1.3.2

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

35.1%

JSON

icingaweb2-module-jira provides integration with Atlassian Jira. Starting in version 1.3.0 and prior to version 1.3.2, template and field configuration forms perform the deletion action before user input is validated, including the cross site request forgery token. This issue is fixed in version 1.3.2. There are no known workarounds.

CNA Affected

[
  {
    "vendor": "Icinga",
    "product": "icingaweb2-module-jira",
    "versions": [
      {
        "version": ">= 1.3.0, < 1.3.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/Icinga/icingaweb2-module-jira/commit/7f0c53b7a3e87be2f4c2e8840805d7b7c9762424

github.com/Icinga/icingaweb2-module-jira/releases/tag/v1.3.2

github.com/Icinga/icingaweb2-module-jira/security/advisories/GHSA-gh7w-7f7j-gwp5