Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-43408

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

Published

2022-10-19T16:15:10.543

Last Modified

2025-05-08T20:15:27.163

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Primary
CWE-352
Type: Secondary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jenkins	pipeline\	< 2.27	Yes

References

http://www.openwall.com/lists/oss-security/2022/10/19/3 Mailing List, Third Party Advisory ([email protected])
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828 Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2022/10/19/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)