4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
34.1%
Jenkins 2.329 and earlier, LTS 2.319.1 and earlier does not require POST requests for the HTTP endpoint handling manual build requests when no security realm is set, resulting in a cross-site request forgery (CSRF) vulnerability.
This vulnerability allows attackers to trigger build of job without parameters.
Jenkins 2.330, LTS 2.319.2 requires POST requests for the affected HTTP endpoint.
CPE | Name | Operator | Version |
---|---|---|---|
org.jenkins-ci.main:jenkins-core | lt | 2.330 | |
org.jenkins-ci.main:jenkins-core | lt | 2.319.2 |
www.openwall.com/lists/oss-security/2022/01/12/6
github.com/advisories/GHSA-p92q-7fhh-mq35
github.com/jenkinsci/jenkins/commit/b5c3764681f3b4ce83d0e78f6a9327925640d57e
nvd.nist.gov/vuln/detail/CVE-2022-20612
www.jenkins.io/changelog-stable/#v2.319.2
www.jenkins.io/changelog/#v2.330
www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558
www.oracle.com/security-alerts/cpuapr2022.html
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
34.1%