Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-v535-pc6r-77qh

GitHub Security Advisory

Lack of authentication mechanism for webhook in CloudBees Docker Hub/Registry Notification Plugin

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

CloudBees Docker Hub/Registry Notification Plugin provides several webhook endpoints that can be used to trigger builds when Docker images used by a job have been rebuilt.

In CloudBees Docker Hub/Registry Notification Plugin 2.6.2 and earlier, these endpoints can be accessed without authentication.

This allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

CloudBees Docker Hub/Registry Notification Plugin 2.6.2.1 requires a token as a part of webhook URLs, which will act as authentication for the webhook endpoint. As a result, all webhook URLs in the plugin will be different after updating the plugin.

Administrators can set the [Java system](https://www.jenkins.io/doc/book/managing/system-properties/) property `org.jenkinsci.plugins.registry.notification.webhook.JSONWebHook.DO_NOT_REQUIRE_API_TOKEN` to `true` to disable this fix.

Affected Packages

Maven org.jenkins-ci.plugins:dockerhub-notification
Affected versions: 0 (fixed in 2.6.2.1)

Related CVEs

CVE-2022-45385

Key Information

GHSA ID
GHSA-v535-pc6r-77qh
Published
November 16, 2022 12:00 PM
Last Modified
April 30, 2025 8:25 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.jenkins-ci.plugins:dockerhub-notification
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.