Lucene search

GitHub Advisory DatabaseGHSA-9JWH-QVG7-GR59

HistoryJan 26, 2023 - 9:30 p.m.

CSRF vulnerability in Jenkins Orka Plugin allow capturing credentials

2023-01-2621:30:18

CWE-352

GitHub Advisory Database

github.com

csrf

jenkins

orka plugin

macstadium

credentials capture

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

33.0%

JSON

A cross-site request forgery (CSRF) vulnerability in Jenkins Orka by MacStadium Plugin 1.31 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Affected configurations

Vulners

Node

io.jenkins.pluginsmacstadium-orkaRange<1.32

VendorProductVersionCPE
io.jenkins.pluginsmacstadium-orka*cpe:2.3:a:io.jenkins.plugins:macstadium-orka:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
io.jenkins.plugins	macstadium-orka	*	cpe:2.3:a:io.jenkins.plugins:macstadium-orka::::::::

References

github.com/advisories/GHSA-9jwh-qvg7-gr59

nvd.nist.gov/vuln/detail/CVE-2023-24432

www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2772%20(2)

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

33.0%

JSON

Related for GHSA-9JWH-QVG7-GR59