Home > Vulnerability Database > CVE-2022-43408

Mend.io Vulnerability Database

CVE-2022-43408

Good to know:

Date: October 18, 2022

Jenkins Pipeline: Stage View Plugin 2.26 and earlier does not correctly encode the ID of 'input' steps when using it to generate URLs to proceed or abort Pipeline builds, allowing attackers able to configure Pipelines to specify 'input' step IDs resulting in URLs that would bypass the CSRF protection of any target URL in Jenkins.

Language: Java

Severity Score

6.5

Related Resources (5)

Url: https://github.com/jenkinsci/pipeline-stage-view-plugin/commit/cee275109ee748fa9f599ec60159807a28a2933f

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-43408

Url: https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2828

Url: http://www.openwall.com/lists/oss-security/2022/10/19/3

Url: https://www.mend.io/vulnerability-database/CVE-2022-43408

Severity Score

6.5

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Inappropriate Encoding for Output Context

CWE-838

Top Fix

Upgrade Version

Upgrade to version org.jenkins-ci.plugins.pipeline-stage-view:pipeline-stage-view:2.27

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-43408

Good to know:

Date: October 18, 2022

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?