Bug 2044460 (CVE-2022-20612)
Summary: | CVE-2022-20612 jenkins: no POST request is required for the endpoint handling manual build requests which could result in CSRF | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abenaiss, adam.kaplan, aileenc, aos-bugs, bmontgom, chazlett, drieden, eparis, ggaughan, gmalinko, janstey, jburrell, jochrist, jokerman, jwon, nstielau, pbhattac, pdelbell, proguski, spandura, sponnaga, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jenkins 2.330, jenkins LTS 2.319.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A Cross-site request forgery (CSRF) vulnerability was found in Jenkins. The POST requests are not required for the HTTP endpoint handling manual build requests when no security realm is set. This flaw allows an attacker to trigger the building of a job without parameters.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-10 19:01:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2044845, 2044846, 2046487, 2046488, 2046489, 2046490 | ||
Bug Blocks: | 2044461 |
Description
Michael Kaplan
2022-01-24 16:33:59 UTC
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:0339 https://access.redhat.com/errata/RHSA-2022:0339 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2022:0483 https://access.redhat.com/errata/RHSA-2022:0483 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:0491 https://access.redhat.com/errata/RHSA-2022:0491 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2022:0555 https://access.redhat.com/errata/RHSA-2022:0555 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:0565 https://access.redhat.com/errata/RHSA-2022:0565 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-20612 |