Description

A cross-site request forgery (CSRF) vulnerability in Jenkins 2.329 and earlier, LTS 2.319.1 and earlier allows attackers to trigger build of job without parameters when no security realm is set.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/01/12/6

https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2558

https://www.oracle.com/security-alerts/cpuapr2022.html

Related Vulnerabilities

CVE-2023-40343 Vulnerability in maven package io.jenkins.plugins:tuleap-oauth

CVE-2020-15250 Vulnerability in maven package junit:junit

CVE-2022-2216 Vulnerability in maven package org.webjars.npm:parse-url

CVE-2022-24823 Vulnerability in maven package io.netty:netty-common

CVE-2022-31108 Vulnerability in maven package org.webjars.bower:mermaid

Severity

Medium

Classification

CWE-352 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory Patch