Lucene search

GitHub Advisory DatabaseGHSA-JRJ6-QX48-3CPQ

HistoryAug 16, 2023 - 3:30 p.m.

Jenkins Favorite View Plugin cross-site request forgery vulnerability

2023-08-1615:30:18

CWE-352

GitHub Advisory Database

github.com

jenkins

favorite view

csrf

vulnerability

http endpoint

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Jenkins Favorite View Plugin 5.v77a_37f62782d and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to add or remove views from another user’s favorite views tab bar.

As of publication of this advisory, there is no fix.

Affected configurations

Vulners

Node

vmwareviewRange≤5.v77a

CPENameOperatorVersion
org.jenkins-ci.plugins:favorite-viewle5.v77a

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:favorite-view	le	5.v77a

References

www.openwall.com/lists/oss-security/2023/08/16/3

github.com/advisories/GHSA-jrj6-qx48-3cpq

nvd.nist.gov/vuln/detail/CVE-2023-40351

www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3201

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for GHSA-JRJ6-QX48-3CPQ