CVE-2022-36887

UNKNOWN

Published 2022-07-27T14:22:04

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-36887. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A cross-site request forgery (CSRF) vulnerability in Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier allows attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system configurations.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Jenkins project

Jenkins Job Configuration History Plugin

Affected Versions:

unspecified

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints

GHSA-j896-j72w-cr32

Advisory Details

Jenkins Job Configuration History Plugin 1155.v28a_46a_cc06a_5 and earlier does not require POST requests for several HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to delete entries from job, agent, and system configuration history, or restore older versions of job, agent, and system configurations. Job Configuration History Plugin 1156.v536a_97b_8d649 requires POST requests for the affected HTTP endpoints.

Affected Packages

Maven org.jenkins-ci.plugins:jobConfigHistory

ECOSYSTEM: ≥0 <1156.v536a_97b_8d649

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-36887

WEB https://github.com/jenkinsci/job-config-history-plugin/commit/536a97b8d649b3114f5db24ea32a7c63188a35c6

WEB https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2766

WEB http://www.openwall.com/lists/oss-security/2022/07/27/1

Advisory provided by GitHub Security Advisory Database. Published: July 28, 2022, Modified: October 27, 2023

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2766

http://www.openwall.com/lists/oss-security/2022/07/27/1

Published: 2022-07-27T14:22:04

Last Modified: 2024-08-03T10:14:29.218Z

Copied to clipboard!

CVE-2022-36887

Expert Analysis

Description

Available Exploits

Related News

Affected Products

Jenkins Job Configuration History Plugin

Affected Versions:

GitHub Security Advisories

Jenkins Job Configuration History Plugin does not require POST requests for several HTTP endpoints

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!