Lucene search

Veracode Vulnerability DatabaseVERACODE:43363

HistorySep 25, 2023 - 7:20 a.m.

Cross-Site Request Forgery

2023-09-2507:20:21

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site request forgery

causemanagement.java

get

software

failure causes

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

com.sonyericsson.jenkins.plugins.bfa: build-failure-analyzer is vulnerable to Cross-Site Request Forgery. The vulnerability is due to the doRemoveConfirm method in CauseManagement.java which handles requests via GET, allowing an attacker to delete Failure Causes.

CPENameOperatorVersion
build failure analyzerle2.4.1
build failure analyzerle2.4.1

CPE	Name	Operator	Version
	build failure analyzer	le	2.4.1
	build failure analyzer	le	2.4.1

References

www.openwall.com/lists/oss-security/2023/09/20/5

github.com/advisories/GHSA-2wwh-qgh8-w9xw

github.com/jenkinsci/build-failure-analyzer-plugin/commit/a261229a67c52927d531c48ec0a59bf138ebd4d0

www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3239

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.0005 Low

EPSS

Percentile

17.0%

JSON

Related for VERACODE:43363