Lucene search

[email protected]NVD:CVE-2022-41249

HistorySep 21, 2022 - 4:15 p.m.

CVE-2022-41249

2022-09-2116:15:11

CWE-352

[email protected]

web.nvd.nist.gov

cross-site request forgery

jenkins

scm httpclient plugin

http server

credentials capturing

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

34.3%

JSON

A cross-site request forgery (CSRF) vulnerability in Jenkins SCM HttpClient Plugin 1.5 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Affected configurations

Nvd

Node

jenkinsscm_httpclientRange≤1.5jenkins

VendorProductVersionCPE
jenkinsscm_httpclient*cpe:2.3:a:jenkins:scm_httpclient:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	scm_httpclient	*	cpe:2.3:a:jenkins:scm_httpclient::::::jenkins::*

References

www.openwall.com/lists/oss-security/2022/09/21/5

www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2708

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

34.3%

JSON

Related for NVD:CVE-2022-41249

cve1 osv1 cvelist1 prion1 github1 nessus2