Lucene search

GitHub Advisory DatabaseGHSA-2WWH-QGH8-W9XW

HistorySep 20, 2023 - 6:30 p.m.

Jenkins Build Failure Analyzer Plugin Cross-Site Request Forgery vulnerability

2023-09-2018:30:21

CWE-352

GitHub Advisory Database

github.com

jenkins

bfa plugin

csrf

vulnerability

http

endpoint

attackers

delete

post.

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not require POST requests for an HTTP endpoint, resulting in cross-site request forgery (CSRF) vulnerabilities.

This vulnerability allows attackers to delete Failure Causes.

Build Failure Analyzer Plugin 2.4.2 requires POST requests for the affected HTTP endpoint.

Affected configurations

Vulners

Node

jenkinsbuild_failure_analyzerRange<2.4.2jenkins

CPENameOperatorVersion
com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzerlt2.4.2

CPE	Name	Operator	Version
	com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer	lt	2.4.2

References

www.openwall.com/lists/oss-security/2023/09/20/5

github.com/advisories/GHSA-2wwh-qgh8-w9xw

github.com/jenkinsci/build-failure-analyzer-plugin/commit/a261229a67c52927d531c48ec0a59bf138ebd4d0

nvd.nist.gov/vuln/detail/CVE-2023-43502

www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3239

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for GHSA-2WWH-QGH8-W9XW