Input Step Plugin Vulnerability in Jenkins Affecting User Interaction Processing
CVE-2022-43407

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Pipeline: Input Step Plugin
Vendor: CVE Published:; 19 October 2022

Summary

The Input Step Plugin in Jenkins allows the specification of an ID for its 'input' step without adequate restrictions or sanitization. This flaw permits attackers who have the ability to configure Pipelines to craft Jenkins build URLs that leverage these input step IDs. Such crafted links can effectively circumvent the CSRF protections in place for target URLs within Jenkins, exposing the system to potential unauthorized actions when users interact with the compromised input steps.

Affected Version(s)

Jenkins Pipeline: Input Step Plugin <= 451.vf1a_a_4f405289

Jenkins Pipeline: Input Step Plugin 449.451.v9c3d42f23975

References

https://www.jenkins.io/security/advisory/2022-10-19/#SECU...

http://www.openwall.com/lists/oss-security/2022/10/19/3

mailing-list

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 19, 2022
Vulnerability Reserved
Oct 18, 2022