Vulnerability Description
Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Pipeline\ | < 2.27, stage_view |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2022/10/19/3Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828Vendor Advisory
- http://www.openwall.com/lists/oss-security/2022/10/19/3Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828Vendor Advisory
FAQ
What is CVE-2022-43408?
CVE-2022-43408 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to co...
How severe is CVE-2022-43408?
CVE-2022-43408 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-43408?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Pipeline\.