#VU68600 Cross-site request forgery in Pipeline: Input Step - CVE-2022-43407

Cybersecurity Help s.r.o.

Published: 2022-10-24

Vulnerability identifier: #VU68600

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-43407

CWE-ID: CWE-352

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pipeline: Input Step
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Pipeline: Input Step: 451.vf1a_a_4f405289

External links
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2880
https://www.openwall.com/lists/oss-security/2022/10/19/3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Product OCP Tools 4.12 update for Openshift Jenkins

OpenShift Developer Tools and Services for OCP 4.11 update for jenkins and jenkins-2-plugins

OpenShift Developer Tools and Services for OCP 4.12 update for Jenkins and Jenkins-2-plugins

Multiple vulnerabilities in OpenShift Container Platform 4.9

Multiple vulnerabilities in OpenShift Container Platform 4.10

Cross-site request forgery in Jenkins Pipeline: Input Step plugin