Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-X25H-F84X-WH4M
HistoryMar 30, 2022 - 12:00 a.m.

CSRF vulnerability in Jenkins RocketChat Notifier Plugin

2022-03-3000:00:25
CWE-352
GitHub Advisory Database
github.com
10
jenkins
rocketchat
notifier plugin
csrf
vulnerability
permission check
method
form validation
overall/read
url
credential
post requests
cross-site request forgery
1.5.0
overall/administer

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.002

Percentile

53.6%

JSON

Jenkins RocketChat Notifier Plugin 1.4.10 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credential.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

RocketChat Notifier Plugin 1.5.0 requires POST requests and Overall/Administer permission for the affected form validation method.

Affected configurations

Vulners
Node
org.jenkins-ci.pluginsrocketchatnotifierRange<1.5.0
VendorProductVersionCPE
org.jenkins-ci.pluginsrocketchatnotifier*cpe:2.3:a:org.jenkins-ci.plugins:rocketchatnotifier:*:*:*:*:*:*:*:*

Related

cve 1
osv 2
nvd 1
cnvd 1
prion 1
cvelist 1
nessus 1
cve
cve
CVE-2022-28138
2022-03-29 13:15:08
osv
osv
CSRF vulnerability in Jenkins RocketChat Notifier Plugin
2022-03-30 00:00:25
CVE-2022-28138
2022-03-29 13:15:08
nvd
nvd
CVE-2022-28138
2022-03-29 13:15:08
cnvd
cnvd
Jenkins RocketChat Notifier Plugin跨站请求δΌͺι€ ζΌζ΄ž
2022-03-31 00:00:00
prion
prion
Cross site request forgery (csrf)
2022-03-29 13:15:00
cvelist
cvelist
CVE-2022-28138
2022-03-29 12:30:51
nessus
nessus
Jenkins plugins Multiple Vulnerabilities (2022-03-29)
2022-03-31 00:00:00

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.002

Percentile

53.6%

JSON
Related for GHSA-X25H-F84X-WH4M
cve1osv2nvd1cnvd1prion1cvelist1nessus1