1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2658

[JENKINS:SECURITY-2658] CSRF vulnerability and missing permission checks in `xpath-config-viewer`

Severity Medium
Affected Packages 2
CVEs 2
Info Packages References Vulnerabilities

xpath-config-viewer 1.1.1 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to create and delete XPath expressions.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/xpath-config-viewer <= 1.1.1
pkg:github/jenkinsci/xpath-config-viewer-plugin <= 1.1.1
ID
JENKINS:SECURITY-2658
Severity
medium
Published
2022-06-30T00:00:00
(2 years ago)
Modified
2022-06-30T00:00:00
(2 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository xpath-config-viewer repository https://github.com/jenkinsci/xpath-config-viewer-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/xpath-config-viewer org.jenkins-ci.plugins xpath-config-viewer <= 1.1.1
Affected pkg:github/jenkinsci/xpath-config-viewer-plugin jenkinsci xpath-config-viewer-plugin <= 1.1.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date