[MAVEN:GHSA-22XP-7RCX-XP34] Jenkins Slack Notification Plugin missing permission check
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
Jenkins Slack Notification Plugin did not perform permission checks on a method implementing form validation. This allowed users with Overall/Read access to Jenkins to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Additionally, this form validation method did not require POST requests, resulting in a cross-site request forgery vulnerability.
This form validation method now requires POST requests and Overall/Administer (for global configuration) or Item/Configure permissions (for job configuration).
| Package | Affected Version |
|---|---|
 pkg:maven/org.jenkins-ci.plugins/slack
|
<= 2.19 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.jenkins-ci.plugins/slack
|
= 2.20 |
- ID
- MAVEN:GHSA-22XP-7RCX-XP34
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-22xp-7rcx-xp34
- Published
-
2022-05-13T01:15:08
(2 years ago) - Modified
-
2023-10-26T14:30:25
(10 months ago) - Rights
- Maven Security Team
- Other Advisories
JENKINS:SECURITY-976| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |