2044487 – (CVE-2022-20613) CVE-2022-20613 jenkins-2-plugins/mailer: form validation method does not require POST requests which could lead to CSRF

Bug 2044487 (CVE-2022-20613) - CVE-2022-20613 jenkins-2-plugins/mailer: form validation method does not require POST requests which could lead to CSRF

Summary: CVE-2022-20613 jenkins-2-plugins/mailer: form validation method does not requ...

Keywords:
Status:	NEW
Alias:	CVE-2022-20613
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2044913 2044914 2044915 2047839
Blocks:	2044461
TreeView+	depends on / blocked

Reported:	2022-01-24 17:04 UTC by Michael Kaplan
Modified:	2024-05-02 18:49 UTC (History)
CC List:	9 users (show)
Fixed In Version:	mailer plugin 408.vd726a_1130320
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Michael Kaplan 2022-01-24 17:04:44 UTC

A cross-site request forgery (CSRF) vulnerability in Jenkins Mailer Plugin 391.ve4a_38c1b_cf4b_ and earlier allows attackers to use the DNS used by the Jenkins instance to resolve an attacker-specified hostname.

Reference:

https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2163

Comment 2 Adam Kaplan 2022-01-26 18:52:25 UTC

The Mailer plugin is a direct dependency of the openshift-login-plugin. This plugin will need to fix its dependencies before we update Mailer in our Jenkins distributions.

Note You need to log in before you can comment on or make changes to this bug.