Home > Vulnerability Database > CVE-2022-43407

Mend.io Vulnerability Database

CVE-2022-43407

Good to know:

Date: October 19, 2022

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specified ID of the 'input' step, which is used for the URLs that process user interactions for the given 'input' step (proceed or abort) and is not correctly encoded, allowing attackers able to configure Pipelines to have Jenkins build URLs from 'input' step IDs that would bypass the CSRF protection of any target URL in Jenkins when the 'input' step is interacted with.

Language: Java

Severity Score

8.8

Related Resources (4)

Url: https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-43407

Url: http://www.openwall.com/lists/oss-security/2022/10/19/3

Url: https://www.mend.io/vulnerability-database/CVE-2022-43407

Severity Score

8.8

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Inappropriate Encoding for Output Context

CWE-838

Top Fix

Upgrade Version

Upgrade to version org.jenkins-ci.plugins:pipeline-input-step:456.vd8a_957db_5b_e9

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-43407

Good to know:

Date: October 19, 2022

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?