CSRF vulnerability in Jenkins openstack-heat Plugin · CVE-2022-36911 · GitHub Advisory Database · GitHub

CSRF vulnerability in Jenkins openstack-heat Plugin

Moderate severity GitHub Reviewed Published Jul 28, 2022 to the GitHub Advisory Database • Updated Jan 29, 2023

Package

org.jenkins-ci.plugins:openstack-heat (Maven)

Affected versions

<= 1.5

Patched versions

None

Description

openstack-heat Plugin 1.5 and earlier does not perform permission checks in methods implementing form validation.

This form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

References

Published by the National Vulnerability Database

Jul 27, 2022

Published to the GitHub Advisory Database Jul 28, 2022

Reviewed Aug 10, 2022

Last updated Jan 29, 2023

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N