Lucene search

GitHub Advisory DatabaseGHSA-MRF6-4GW6-65V3

HistorySep 22, 2022 - 12:00 a.m.

Jenkins extreme-feedback Plugin vulnerable to Missing Authorization

2022-09-2200:00:28

CWE-862

GitHub Advisory Database

github.com

jenkins

extreme-feedback

missing authorization

http endpoint

overall/read permission

lamps

mac addresses

ip addresses

fix

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

22.2%

JSON

Jenkins extreme-feedback Plugin 1.7 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to discover information about job names attached to lamps, discover MAC and IP addresses of existing lamps, and rename lamps.

As of publication of this advisory, there is no fix.

Affected configurations

Vulners

Node

ougc_feedback_projectougc_feedbackRange≤1.7mybb

CPENameOperatorVersion
org.jenkins-ci.plugins:extreme-feedbackle1.7

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:extreme-feedback	le	1.7

References

github.com/advisories/GHSA-mrf6-4gw6-65v3

nvd.nist.gov/vuln/detail/CVE-2022-41242

www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2001

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

22.2%

JSON

Related for GHSA-MRF6-4GW6-65V3