Description

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/01/12/6

https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558

https://www.oracle.com/security-alerts/cpuapr2022.html

Related Vulnerabilities

CVE-2020-7608 Vulnerability in maven package org.webjars.npm:yargs-parser

CVE-2022-36898 Vulnerability in maven package com.compuware.jenkins:compuware-ispw-operations

CVE-2020-13942 Vulnerability in maven package org.apache.unomi:unomi-persistence-elasticsearch-core

CVE-2022-24785 Vulnerability in maven package org.webjars.bowergithub.moment:moment

CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-main

Severity

Medium

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory Patch