[JENKINS:SECURITY-984-1] CSRF vulnerability and missing permission checks in HipChat Plugin allowed capturing credentials
Severity
Medium
Affected Packages
2
Fixed Packages
2
CVEs
1
HipChat Plugin did not perform permission checks on a method that sends test notifications.
This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified HipChat server using attacker-specified connection settings and credentials IDs obtained through another method, capturing credentials stored in Jenkins, and submitting messages to HipChat.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
This form validation method now require POST requests and Overall/Administer permissions.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/hipchat | <= 2.2.0 |
pkg:github/jenkinsci/hipchat-plugin | <= 2.2.0 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/hipchat | = 2.2.1 |
pkg:github/jenkinsci/hipchat-plugin | = 2.2.1 |
- ID
- JENKINS:SECURITY-984-1
- Severity
- medium
- Published
-
2018-09-25T00:00:00
(6 years ago) - Modified
-
2018-09-25T00:00:00
(6 years ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | hipchat repository | https://github.com/jenkinsci/hipchat-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/hipchat | org.jenkins-ci.plugins | hipchat | <= 2.2.0 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/hipchat | org.jenkins-ci.plugins | hipchat | = 2.2.1 | |||
Affected | pkg:github/jenkinsci/hipchat-plugin | jenkinsci | hipchat-plugin | <= 2.2.0 | |||
Fixed | pkg:github/jenkinsci/hipchat-plugin | jenkinsci | hipchat-plugin | = 2.2.1 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |